Supported Cortex XSOAR versions: 6.8.0 and later.
Investigates a Cortex XDR incident containing First SSO access from ASN in organization or First successful SSO connection from a country in organization.
The playbook executes the following:
- IP and User Enrichment.
- User Investigation - Using 'User Investigation - Generic' sub-playbook.
- Set alert's verdict - Using 'Cortex XDR - First SSO access - Set Verdict' sub-playbook.
- Response based on the verdict.
The playbook is used as a sub-playbook in ‘Cortex XDR Incident Handling - v3’.
This playbook uses the following sub-playbooks, integrations, and scripts.
- TIM - Indicator Relationships Analysis
- Endpoint Enrichment - Generic v2.1
- Block Account - Generic v2
- User Investigation - Generic
- Account Enrichment - Generic v2.1
- Cortex XDR - First SSO Access - Set Verdict
|AutomaticallyIsolateEndpoint||Whether to isolate the endpoint automatically.||False||Optional|
This is the minimum threshold for XDR related alerts based on user activity to identify suspicious activity.
example: If this input is set to '3', and the 'Cortex XDR - First SSO Access - Set Verdict' sub-playbook has found 4 XDR related alerts - It will classify this check as suspicious activity.
The default value is '3'.
|FailedlogonUserThreshold||This is the minimum threshold for failed login attempts by the user.|
example: If this input is set to '30', and the 'Cortex XDR - First SSO Access - Set Verdict' sub-playbook has found 31 failed login attempts - It will classify this check as suspicious activity.
The default value is '30'.
|FailedlogonFromASNThreshold||This is the minimum threshold for failed login attempts from ASN.|
example: If this input is set to '20', and the 'Cortex XDR - First SSO Access - Set Verdict' sub-playbook has found 21 failed login attempts from ASN - It will classify this check as suspicious activity.
The default value is '20'.
|EndpointID||XDR Endpoint ID.||Optional|
|IPAddress||IP Address from the XDR Alert.||Optional|
|LoginCountry||The country from which the user logged in.||Optional|
|AutomaticallyBlockAccount||Whether to block the account automatically.||False||Optional|
|ContactUserManager||Whether to ask the user manager for the legitimacy of the login events, in case of a user logged in from an unusual country.||False||Optional|
|MaliciousVerdictThreshold||The 'Malicious verdict' threshold to determine a malicious verdict.|
The default value is '2'.
Should be Greater than the "SuspiciousVerdictThreshold" input.
|SuspiciousVerdictThreshold||The 'Suspicious verdict' threshold to determine a suspicious verdict.|
The default value is '1'.
Should be lower than the "MaliciousVerdictThreshold" input.
|SplunkIndex||Splunk's index name in which to search. Default is "*" - All.||*||Optional|
|SplunkEarliestTime||The earliest time for the Splunk search query.||-1d||Optional|
|SplunkLatestTime||The latest time for the Splunk search query.||now||Optional|
|QRadarSearchTime||The Search Time for the QRadar search query. for example: Last 1 days||Last 1 days||Optional|
|AzureSearchTime||The Search Time for the Azure Log Analytics search query. for example: ago(1d)||ago(1d)||Optional|
|SIEMFailedLogonSearch||Whether to search for failed logon logs from Siem? Can be False or True.||True||Optional|
|ThreatLogSearch||Whether to search for threat logs from PAN-OS? Can be False or True.||True||Optional|
|XDRAlertSearch||Whether to search for Related alerts from XDR? Can be False or True.||True||Optional|
|OktaSearch||Whether to search for logs from Okta? Can be False or True.||True||Optional|
|XDRUsernameField||Cortex XDR User name Field.||actor_effective_username||Optional|
|AutomaticallyClearSessions||Whether to clear all the user sessions automatically. Can be used in conjunction with the ForceClearSessionsForHighRiskUsers input.||False||Optional|
|ForceClearSessionsForHighRiskUsers||Whether to clear user sessions regardless of the AutomaticallyClearSessions input for users with High risk.|
Users receive their risk level based on Cortex XDR's ITDR module. The risks can be:
Setting this to True will automatically clear the user sessions in Okta if the user has a high risk. Setting this and the AutomaticallyClearSessions inputs to False, will prompt the analyst to take action manually even if the user has a high risk associated with it.
There are no outputs for this playbook.