Handle Shadow IT Incident
This Playbook is used to handle a Shadow IT incident. A Shadow IT incident occurs when a resource attributed to the organization that is not sanctioned by IT nor protected by the InfoSec team is found. This playbook handles the incident by helping the analyst to find the owner of the resource based on existing evidence. The playbook also marks the service indicators (IP or FQDN) with a Shadow IT tag. The possible owner and their manager are notified and onboarding of the asset on Prisma Cloud is triggered through a manual process.
Shadow IT · 44 tasks · 4 inputs · 0 outputs
Inputs
Notify Manager— Notify user's managerShadowITIndicatorTags— Tags to add to indicators to identify potential Shadow IT assetsManagerNotificationSubjectPrefix— This input is added as prefix to the owner name to build the subject of the email sent to the owner's manager.ManagerNotificationBody— Body of the email to send to the owner's manager.
Commands used
appendIndicatorField
findIndicators
send-mail
setIncident