Skip to main content

Access Investigation - Generic - NIST

This Playbook is part of the NIST Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook investigates an access incident by gathering user and IP information, and handling the incident based on the stages in "Handling an incident - Computer Security Incident Handling Guide" by NIST.

Used Sub-playbooks:

  • IP Enrichment - Generic v2
  • Account Enrichment - Generic v2.1
  • Block IP - Generic v3
  • NIST - Lessons Learned


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Account Enrichment - Generic v2.1
  • IP Enrichment - Generic v2
  • Block IP - Generic v3
  • NIST - Lessons Learned


  • Active Directory Query v2


  • GenerateInvestigationSummaryReport


  • closeInvestigation
  • send-mail
  • ad-get-user
  • ad-expire-password
  • ad-disable-account
  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
SrcIPThe source IP address from which the incident originated.Optional
DstIPThe target IP address that was accessed.Optional
UsernameThe email address of the account that was used to access the DstIP.Optional
NotifyEmailEmail addresses to notify about the incident.Optional
RemediationSLAThe Remediation SLA for the 'Containment, Eradication, and Recovery' stage (in minutes).Optional
InternalRangeA list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: ",," (without quotes).lists.PrivateIPsOptional

Playbook Outputs#

IPThe IP objectsunknown
EndpointThe Endpoint's objectunknown
Endpoint.HostnameThe hostname to enrichstring
Endpoint.OSEndpoint OSstring
Endpoint.IPList of endpoint IP addressesunknown
Endpoint.MACList of endpoint MAC addressesunknown
Endpoint.DomainEndpoint domain namestring
AccountThe account object.unknown
Account.DisplayNameThe user display name.unknown
Account.GroupsGroups for which the user is a member.unknown
Account.ManagerThe user manager.unknown
Account.IDThe user distinguished name.unknown
Account.UsernameThe user sAMAccountName.unknown
Account.EmailThe user email address.unknown
ActiveDirectory.Users.userAccountControlThe user account control flag.unknown
ActiveDirectory.Users.sAMAccountNameThe user sAMAccountName.unknown
ActiveDirectory.Users.nameThe user common name.unknown

Playbook Image#

Access Investigation - Generic - NIST