Skip to main content

Cortex XDR - First SSO Access

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

Investigates a Cortex XDR incident containing First SSO access from ASN in organization or First successful SSO connection from a country in organization.

The playbook executes the following:

  • IP and User Enrichment.
  • User Investigation - Using 'User Investigation - Generic' sub-playbook.
  • Set alert's verdict - Using 'Cortex XDR - First SSO access - Set Verdict' sub-playbook.
  • Response based on the verdict.

The playbook is used as a sub-playbook in ‘Cortex XDR Incident Handling - v3’.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Cortex XDR - First SSO Access - Set Verdict
  • TIM - Indicator Relationships Analysis
  • Account Enrichment - Generic v2.1
  • User Investigation - Generic
  • Block Account - Generic v2

Integrations#

  • XDR_iocs
  • XQLQueryingEngine
  • CortexXDRIR

Scripts#

  • Set

Commands#

  • ad-expire-password
  • ip
  • setIncident
  • xdr-endpoint-isolate

Playbook Inputs#


NameDescriptionDefault ValueRequired
AutomaticallyIsolateEndpointWhether to isolate the endpoint automatically.FalseOptional
XDRRelatedAlertsThreshold
This is the minimum threshold for XDR related alerts based on user activity to identify suspicious activity.
example: If this input is set to '3', and the 'Cortex XDR - First SSO Access - Set Verdict' sub-playbook has found 4 XDR related alerts - It will classify this check as suspicious activity.
The default value is '3'.
3Optional
FailedlogonUserThresholdThis is the minimum threshold for failed login attempts by the user.
example: If this input is set to '30', and the 'Cortex XDR - First SSO Access - Set Verdict' sub-playbook has found 31 failed login attempts - It will classify this check as suspicious activity.
The default value is '30'.
30Optional
FailedlogonFromASNThresholdThis is the minimum threshold for failed login attempts from ASN.
example: If this input is set to '20', and the 'Cortex XDR - First SSO Access - Set Verdict' sub-playbook has found 21 failed login attempts from ASN - It will classify this check as suspicious activity.
The default value is '20'.
20Optional
EndpointIDXDR Endpoint ID.Optional
UsernameUser name.Optional
IPAddressIP Address from the XDR Alert.Optional
AlertIDAlert ID.Optional
LoginCountryThe country from which the user logged in.Optional
AutomaticallyBlockAccountWhether to block the account automatically.FalseOptional
ContactUserManagerWhether to ask the user manager for the legitimacy of the login events, in case of a user logged in from an unusual country.FalseOptional
AlertNameAlert Name.Optional
MaliciousVerdictThresholdThe 'Malicious verdict' threshold to determine a malicious verdict.
The default value is '2'.
Should be Greater than the "SuspiciousVerdictThreshold" input.
2Optional
SuspiciousVerdictThresholdThe 'Suspicious verdict' threshold to determine a suspicious verdict.
The default value is '1'.
Should be lower than the "MaliciousVerdictThreshold" input.
1Optional
SplunkIndexSplunk's index name in which to search. Default is "*" - All.*Optional
SplunkEarliestTimeThe earliest time for the Splunk search query.-1dOptional
SplunkLatestTimeThe latest time for the Splunk search query.nowOptional
QRadarSearchTimeThe Search Time for the QRadar search query. for example: Last 1 daysLast 1 daysOptional
AzureSearchTimeThe Search Time for the Azure Log Analytics search query. for example: ago(1d)ago(1d)Optional
SIEMFailedLogonSearchWhether to search for failed logon logs from Siem? Can be False or True.TrueOptional
ThreatLogSearchWhether to search for threat logs from PAN-OS? Can be False or True.TrueOptional
XDRAlertSearchWhether to search for Related alerts from XDR? Can be False or True.TrueOptional
OktaSearchWhether to search for logs from Okta? Can be False or True.TrueOptional
XDRUsernameFieldCortex XDR User name Field.actor_effective_usernameOptional
AutomaticallyResetPasswordWhether to reset the account password automatically.FalseOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Cortex XDR - First SSO Access