Cortex XDR - First SSO Access Deprecated

Deprecated. Use `Cortex XDR - Identity Analytics` instead. Investigates a Cortex XDR incident containing First SSO access from ASN in organization or First successful SSO connection from a country in organization. The playbook executes the following: - IP and User Enrichment. - User Investigation - Using 'User Investigation - Generic' sub-playbook. - Set alert's verdict - Using 'Cortex XDR - First SSO access - Set Verdict' sub-playbook. - Response based on the verdict. The playbook is used as a sub-playbook in ‘Cortex XDR Incident Handling - v3’.

Cortex XDR by Palo Alto Networks · 40 tasks · 25 inputs · 0 outputs

Inputs

  • AutomaticallyIsolateEndpoint — Whether to isolate the endpoint automatically.
  • XDRRelatedAlertsThreshold — This is the minimum threshold for XDR related alerts based on user activity to identify suspicious activity. example: If this input is set to '3', and the 'Cortex XDR - First SSO Access - Set Verdict' sub-playbook has found 4 XDR related alerts - It will classify this check as suspicious activity. The default value is '3'.
  • FailedlogonUserThreshold — This is the minimum threshold for failed login attempts by the user. example: If this input is set to '30', and the 'Cortex XDR - First SSO Access - Set Verdict' sub-playbook has found 31 failed login attempts - It will classify this check as suspicious activity. The default value is '30'.
  • FailedlogonFromASNThreshold — This is the minimum threshold for failed login attempts from ASN. example: If this input is set to '20', and the 'Cortex XDR - First SSO Access - Set Verdict' sub-playbook has found 21 failed login attempts from ASN - It will classify this check as suspicious activity. The default value is '20'.
  • EndpointID — XDR Endpoint ID.
  • Username — User name.
  • IPAddress — IP Address from the XDR Alert.
  • LoginCountry — The country from which the user logged in.
  • AutomaticallyBlockAccount — Whether to block the account automatically.
  • ContactUserManager — Whether to ask the user manager for the legitimacy of the login events, in case of a user logged in from an unusual country.
  • AlertName — Alert Name.
  • MaliciousVerdictThreshold — The 'Malicious verdict' threshold to determine a malicious verdict. The default value is '2'. Should be Greater than the "SuspiciousVerdictThreshold" input.
  • SuspiciousVerdictThreshold — The 'Suspicious verdict' threshold to determine a suspicious verdict. The default value is '1'. Should be lower than the "MaliciousVerdictThreshold" input.
  • SplunkIndex — Splunk's index name in which to search. Default is "*" - All.
  • SplunkEarliestTime — The earliest time for the Splunk search query.
  • SplunkLatestTime — The latest time for the Splunk search query.
  • QRadarSearchTime — The Search Time for the QRadar search query. for example: Last 1 days
  • AzureSearchTime — The Search Time for the Azure Log Analytics search query. for example: ago(1d)
  • SIEMFailedLogonSearch — Whether to search for failed logon logs from Siem? Can be False or True.
  • ThreatLogSearch — Whether to search for threat logs from PAN-OS? Can be False or True.
  • XDRAlertSearch — Whether to search for Related alerts from XDR? Can be False or True.
  • OktaSearch — Whether to search for logs from Okta? Can be False or True.
  • XDRUsernameField — Cortex XDR User name Field.
  • AutomaticallyClearSessions — Whether to clear all the user sessions automatically. Can be used in conjunction with the ForceClearSessionsForHighRiskUsers input.
  • ForceClearSessionsForHighRiskUsers — Whether to clear user sessions regardless of the AutomaticallyClearSessions input for users with High risk. Users receive their risk level based on Cortex XDR's ITDR module. The risks can be: - LOW - MED - HIGH Setting this to True will automatically clear the user sessions in Okta if the user has a high risk. Setting this and the AutomaticallyClearSessions inputs to False, will prompt the analyst to take action manually even if the user has a high risk associated with it.

Commands used

ip okta-clear-user-sessions setIncident xdr-endpoint-isolate

Flowchart

yes yes yes yes yes No Yes yes Manual decision yes yes yes Yes, high risk user Start Start IP Enrichment - ip IP Enrichment ip Analysis Analysis Set Verdict Set Verdict Remediation Remediation Done Done Manually Block Account Manually Block Account Are the manager contact details exist? Are the manager contact d... Account Enrichment - Generic v2.1 - Account Enrichment - Generic v2.1 Account Enrichment - Gene... Account Enrichment - Generic ... Get Manager Response Get Manager Response IP is malicious? IP is malicious? Containment Containment Investigation Investigation Should the Endpoint be isolated automatically? Should the Endpoint be is... Manually Endpoint isolation Manually Endpoint isolation Cortex XDR - Isolate Endpoint - xdr-endpoint-isolate Cortex XDR - Isolate Endp... xdr-endpoint-isolate Set XDR alerts details - setIncident Set XDR alerts details setIncident Containment - Complete Containment - Complete Block Account - Generic v2 - Block Account - Generic v2 Block Account - Generic v2 Block Account - Generic v2 Manually reset 2FA / clear user sessions / block if needed Manually reset 2FA / clea... TIM - Indicator Relationships Analysis - TIM - Indicator Relationships Analysis TIM - Indicator Relations... TIM - Indicator Relationships... Set Related Campaign - Set Set Related Campaign Set User Investigation - Generic - User Investigation - Generic User Investigation - Generic User Investigation - Generic Cortex XDR - First SSO Access - Set Verdict - Cortex XDR - First SSO Access - Set Verdict Cortex XDR - First SSO Ac... Cortex XDR - First SSO Access... Relate campaign exist? Relate campaign exist? Should the Account be disabled automatically? Should the Account be dis... Remediation Complete Remediation Complete Analyst decision - Is this a True positive? Analyst decision - Is thi... User Investigation User Investigation TIM - Indicator Relationships Analysis TIM - Indicator Relations... Manager Engagment Manager Engagment Action Based On Verdict Action Based On Verdict Should engage with the manager? Should engage with the ma... Should run remediation actions? Should run remediation ac... False positive False positive Is Okta V2 integration enabled ? Is Okta V2 integration en... Should verify factor authentication automatically? Should verify factor auth... Okta - Clear user sessions - okta-clear-user-sessions Okta - Clear user sessions okta-clear-user-sessions Endpoint Enrichment - Generic v2.1 - Endpoint Enrichment - Generic v2.1 Endpoint Enrichment - Gen... Endpoint Enrichment - Generic... Force clear sessions Force clear sessions