A user deleted multiple users for the first time
#
This Playbook is part of the Cortex Response And Remediation Pack.Supported versions
Supported Cortex XSOAR versions: 8.9.0 and later.
This playbook addresses the following alerts:
- A user deleted multiple users for the first time
Playbook Stages:
Triage:
- Collect initial alert data regarding the event.
- Check the user type of the source user.
- Host enrichment.
Investigation:
- Check if an admin user initiated the operation and whether the deleted users are disabled.
- Correlate recent user activity with related security alerts.
- Assess user's and host's risk level in Cortex XDR.
- Check the type of the user target.
Remediation:
- Evaluate investigation findings, if TP, the playbook will display the findings to an analyst for review and suggest user/host account disablement.
Requirements:
For response actions, you need the following integrations:
- Cortex Core - Investigation and Response
- Active Directory Query v2.
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooksThis playbook does not use any sub-playbooks.
#
IntegrationsThis playbook does not use any integrations.
#
Scripts- BetweenHours
- SearchAlertsV2
- SetAndHandleEmpty
#
Commands- ad-disable-account
- ad-get-user
- closeInvestigation
- core-get-cloud-original-alerts
- core-get-endpoints
- core-isolate-endpoint
- core-list-risky-hosts
- core-list-risky-users
#
Playbook InputsThere are no inputs for this playbook.
#
Playbook OutputsThere are no outputs for this playbook.