Skip to main content

A user deleted multiple users for the first time

This Playbook is part of the Cortex Response And Remediation Pack.#

Supported versions

Supported Cortex XSOAR versions: 8.9.0 and later.

This playbook addresses the following alerts:

  • A user deleted multiple users for the first time

Playbook Stages:

Triage:

  • Collect initial alert data regarding the event.
  • Check the user type of the source user.
  • Host enrichment.

Investigation:

  • Check if an admin user initiated the operation and whether the deleted users are disabled.
  • Correlate recent user activity with related security alerts.
  • Assess user's and host's risk level in Cortex XDR.
  • Check the type of the user target.

Remediation:

  • Evaluate investigation findings, if TP, the playbook will display the findings to an analyst for review and suggest user/host account disablement.

Requirements:

For response actions, you need the following integrations:

  • Cortex Core - Investigation and Response
  • Active Directory Query v2.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

This playbook does not use any integrations.

Scripts#

  • BetweenHours
  • SearchAlertsV2
  • SetAndHandleEmpty

Commands#

  • ad-disable-account
  • ad-get-user
  • closeInvestigation
  • core-get-cloud-original-alerts
  • core-get-endpoints
  • core-isolate-endpoint
  • core-list-risky-hosts
  • core-list-risky-users

Playbook Inputs#


There are no inputs for this playbook.

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


A user deleted multiple users for the first time