Identity Analytics - Alert Handling
The `Identity Analytics - Alert Handling` playbook is designed to handle Identity Analytics alerts and executes the following: Analysis: - Enriches the Indicators and the account, providing additional context and information about these indicators. Verdict: - Determines the appropriate verdict based on the data collected from the enrichment phase. Investigation: - Checks for related XDR alerts to the user by Mitre tactics to identify malicious activity. - Checks for specific arguments for malicious usage from Okta using the 'Okta User Investigation' sub-playbook. - Checks for specific arguments for malicious usage from Azure using the 'Azure User Investigation' sub-playbook. Verdict Handling: - Handles malicious alerts by initiating appropriate response actions, including blocking malicious IP and revoking or clearing user's sessions. - Handles non-malicious alerts identified during the investigation.
Core · 30 tasks · 9 inputs · 0 outputs
Inputs
RelatedAlertsThreshold— This is the minimum threshold for XSIAM related alerts, based on MITRE tactics used to identify malicious activity by the user in the last 1 day. Example: If this input is set to '5' and it detects '6' XSIAM related alerts, it will classify this check as indicating malicious activity. The default value is '5'.FailedLogonThreshold— This is the minimum threshold for user login failures within the last 1 day. example: If this input is set to '30', and the 'Okta - User Investigation' or the 'Azure - User Investigation' sub-playbooks have found 31 failed login attempts - It will classify this behavior as malicious activity. The default value is '30'.OktaSuspiciousEventsThreshold— This is the minimum threshold for suspicious Okta activity events by the user in the last 1 day. example: If this input is set to '5', and the 'Okta - User Investigation' sub-playbooks have found 6 events of suspicious activity by the user - It will classify this behavior as malicious activity. The default value is '5'.AzureMfaFailedLogonThreshold— This is the minimum threshold for MFA failed logins by the user in the last 1 day. Required to determine how many MFA failed logon events count as malicious events.AutoRemediation— Whether to execute the remediation flow automatically. Possible values are: "True" and "False".AutoContainment— Whether to execute containment plan (except isolation) automatically. Possible values are: "True" and "False".UserContainment— Whether to disable the user account using the 'Containment Plan' su-playbook. Possible values are: "True" and "False".ClearUserSessions— Whether to clear the user's active Okta sessions using the 'Containment Plan' su-playbook. Possible values are: "True" and "False".IAMRemediationType— The response on 'Cloud Credentials Rotation - Azure' sub-playbook provides the following remediation actions using MSGraph Users: Reset: By entering "Reset" in the input, the playbook will execute password reset. Revoke: By entering "Revoke" in the input, the playbook will revoke the user's session. ALL: By entering "ALL" in the input, the playbook will execute the reset password and revoke session tasks.
Commands used
closeInvestigation
core-get-cloud-original-alerts
extractIndicators