Skip to main content

Cortex XDR - PrintNightmare Detection and Response

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

The playbook targets specific PrintNightmare rules written by Cortex XDR for both vulnerabilities: CVE-2021-1675 LPE CVE-2021-34527 RCE

This playbook includes the following tasks:

  • Containment of files, endpoints, users and IP Addresses
  • Enrichment of indicators
  • Data acquisition of system info and files using Cortex XDR
  • Eradicating compromised user credentials

** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Account Enrichment - Generic v2.1
  • Endpoint Enrichment - Generic v2.1
  • Cortex XDR - Isolate Endpoint
  • Block IP - Generic v3
  • Threat Hunting - Generic


  • CortexXDRIR


  • SearchIncidentsV2


  • ad-disable-account
  • enrichIndicators
  • xdr-get-incident-extra-data

Playbook Inputs#

NameDescriptionDefault ValueRequired
IsolateEndpointAutomaticallyWhether to isolate the endpoint automaticallyFalseOptional
DisableAccountAutomaticallyWhether to disable the account automaticallyTrueOptional
BlockIPAutomaticallyWhether to block the IP Address automaticallyTrueOptional
EnrichAutomaticallyWhether to run indicators auto enrichment automaticallyTrueOptional
UserVerificationPossible values: True/False.
Whether to provide user verification for blocking IPs.

False - No prompt will be displayed to the user.
True - The server will ask the user for blocking verification and will display the blocking list.

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Cortex XDR - PrintNightmare Detection and Response