Identity Analytics - Alert Handling

The `Identity Analytics - Alert Handling` playbook is designed to handle Identity Analytics alerts and executes the following: Analysis: - Enriches the Indicators and the account, providing additional context and information about these indicators. Verdict: - Determines the appropriate verdict based on the data collected from the enrichment phase. Investigation: - Checks for related XDR alerts to the user by Mitre tactics to identify malicious activity. - Checks for specific arguments for malicious usage from Okta using the 'Okta User Investigation' sub-playbook. - Checks for specific arguments for malicious usage from Azure using the 'Azure User Investigation' sub-playbook. Verdict Handling: - Handles malicious alerts by initiating appropriate response actions, including blocking malicious IP and revoking or clearing user's sessions. - Handles non-malicious alerts identified during the investigation.

Core · 30 tasks · 9 inputs · 0 outputs

Inputs

  • RelatedAlertsThreshold — This is the minimum threshold for XSIAM related alerts, based on MITRE tactics used to identify malicious activity by the user in the last 1 day. Example: If this input is set to '5' and it detects '6' XSIAM related alerts, it will classify this check as indicating malicious activity. The default value is '5'.
  • FailedLogonThreshold — This is the minimum threshold for user login failures within the last 1 day. example: If this input is set to '30', and the 'Okta - User Investigation' or the 'Azure - User Investigation' sub-playbooks have found 31 failed login attempts - It will classify this behavior as malicious activity. The default value is '30'.
  • OktaSuspiciousEventsThreshold — This is the minimum threshold for suspicious Okta activity events by the user in the last 1 day. example: If this input is set to '5', and the 'Okta - User Investigation' sub-playbooks have found 6 events of suspicious activity by the user - It will classify this behavior as malicious activity. The default value is '5'.
  • AzureMfaFailedLogonThreshold — This is the minimum threshold for MFA failed logins by the user in the last 1 day. Required to determine how many MFA failed logon events count as malicious events.
  • AutoRemediation — Whether to execute the remediation flow automatically. Possible values are: "True" and "False".
  • AutoContainment — Whether to execute containment plan (except isolation) automatically. Possible values are: "True" and "False".
  • UserContainment — Whether to disable the user account using the 'Containment Plan' su-playbook. Possible values are: "True" and "False".
  • ClearUserSessions — Whether to clear the user's active Okta sessions using the 'Containment Plan' su-playbook. Possible values are: "True" and "False".
  • IAMRemediationType — The response on 'Cloud Credentials Rotation - Azure' sub-playbook provides the following remediation actions using MSGraph Users: Reset: By entering "Reset" in the input, the playbook will execute password reset. Revoke: By entering "Revoke" in the input, the playbook will revoke the user's session. ALL: By entering "ALL" in the input, the playbook will execute the reset password and revoke session tasks.

Commands used

closeInvestigation core-get-cloud-original-alerts extractIndicators

Flowchart

yes yes Malicious Non-Malicious Yes yes yes yes Start Start Account Enrichment - Generic v2.1 - Account Enrichment - Generic v2.1 Account Enrichment - Gene... Account Enrichment - Generic ... Analysis Analysis Found malicious evidence based on enrichment data? Found malicious evidence ... Verdict Verdict Cloud IAM Enrichment - Generic - Cloud IAM Enrichment - Generic Cloud IAM Enrichment - Ge... Cloud IAM Enrichment - Generic Remediation Remediation Investigation Investigation Found any malicious user activity? Found any malicious user ... Analyst Decision Analyst Decision No Malicious activity identified No Malicious activity ide... Close Investigation - closeInvestigation Close Investigation closeInvestigation Set Alert Verdict - Set Set Alert Verdict Set Should perform remediation actions automatically? Should perform remediatio... Done Done Okta - User Investigation - Okta - User Investigation Okta - User Investigation Okta - User Investigation Get entity alerts by MITRE tactics - Get entity alerts by MITRE tactics Get entity alerts by MITR... Get entity alerts by MITRE ta... Azure - User Investigation - Azure - User Investigation Azure - User Investigation Azure - User Investigation Cloud Credentials Rotation - Azure - Cloud Credentials Rotation - Azure Cloud Credentials Rotatio... Cloud Credentials Rotation - ... Fetch alert extra data - core-get-cloud-original-alerts Fetch alert extra data core-get-cloud-original-alerts Containment Plan - Containment Plan Containment Plan Containment Plan Malicious Activity identified Malicious Activity identi... Set Alert Verdict - Set Set Alert Verdict Set Set Number of Related Alerts - SetAndHandleEmpty Set Number of Related Alerts SetAndHandleEmpty Should Perform Cloud Remediation? Should Perform Cloud Reme... Manual Remediation Manual Remediation Auto Remediation Auto Remediation Is the resource log is Azure? Is the resource log is Az... Extract and enrich the alert indicators - extractIndicators Extract and enrich the al... extractIndicators Verify User is not Empty Verify User is not Empty