Skip to main content

Cortex XDR Alerts Handling

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#


Use Cortex XDR - Alerts Handling v2 instead.

Deprecated. Use Cortex XDR - Alerts Handling v2 instead. When using the v2 version, enabling globally shared context for that playbook is required because outputs are no longer declared.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Cortex XDR Remote PsExec with LOLBIN command execution alert
  • Cortex XDR - Possible External RDP Brute-Force
  • Cortex XDR - Malware Investigation
  • Cortex XDR - Cloud Data Exfiltration Response
  • Cortex XDR - Port Scan - Adjusted
  • Cortex XDR - First SSO Access
  • Cortex XDR - XCloud Token Theft Response
  • GenericPolling
  • Cortex XDR - Cloud IAM User Access Investigation
  • Cortex XDR - XCloud Cryptojacking


  • Cortex XDR - IR


This playbook does not use any scripts.


  • xdr-get-incident-extra-data

Playbook Inputs#

NameDescriptionDefault ValueRequired
incident_idIncident ID.PaloAltoNetworksXDR.Incident.incident_idOptional
alert_idAlert ID.PaloAltoNetworksXDR.Incident.alerts.alert_idOptional
InternalIPRangesA list of IP ranges to check the IP against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: ",," (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).lists.PrivateIPsOptional

Playbook Outputs#

PaloAltoNetworksXDR.Incident.incident_idUnique ID assigned to each returned incident.unknown
PaloAltoNetworksXDR.Incident.descriptionDynamic calculated description of the incident.unknown
PaloAltoNetworksXDR.Incident.alerts.alert_idUnique ID for each alert.unknown
PaloAltoNetworksXDR.Incident.alerts.severitySeverity of the alert: "low","medium","high".unknown
PaloAltoNetworksXDR.Incident.alerts.nameCalculated name of the alert.unknown
PaloAltoNetworksXDR.Incident.alerts.categoryCategory of the alert, for example, Spyware Detected via Anti-Spyware profile.unknown
PaloAltoNetworksXDR.Incident.alerts.host_ipHost IP involved in the alert.unknown
PaloAltoNetworksXDR.Incident.alerts.host_nameHost name involved in the alert.unknown
PaloAltoNetworksXDR.Incident.alerts.user_nameUser name involved with the alert.unknown
PaloAltoNetworksXDR.Incident.alerts.event_typeEvent type: "Process Execution","Network Event","File Event","Registry Event","Injection Event","Load Image Event","Windows Event Log".unknown
PaloAltoNetworksXDR.Incident.alerts.actionThe action that triggered the alert. "REPORTED", "BLOCKED", "POST_DETECTED", "SCANNED", "DOWNLOAD", "PROMPT_ALLOW", "PROMPT_BLOCK", "DETECTED", "BLOCKED_1", "BLOCKED_2", "BLOCKED_3", "BLOCKED_5", "BLOCKED_6", "BLOCKED_7", "BLOCKED_8", "BLOCKED_9", "BLOCKED_10", "BLOCKED_11", "BLOCKED_13", "BLOCKED_14", "BLOCKED_15", "BLOCKED_16", "BLOCKED_17", "BLOCKED_24", "BLOCKED_25", "DETECTED_0", "DETECTED_4", "DETECTED_18", "DETECTED_19", "DETECTED_20", "DETECTED_21", "DETECTED_22", "DETECTED_23".unknown
PaloAltoNetworksXDR.Incident.alerts.action_prettyThe action that triggered the alert: "Detected (Reported)" "Prevented (Blocked)" "Detected (Post Detected)" "Detected (Scanned)" "Detected (Download)" "Detected (Prompt Allow)" "Prevented (Prompt Block)" "Detected" "Prevented (Denied The Session)" "Prevented (Dropped The Session)" "Prevented (Dropped The Session And Sent a TCP Reset)" "Prevented (Blocked The URL)" "Prevented (Blocked The IP)" "Prevented (Dropped The Packet)" "Prevented (Dropped All Packets)" "Prevented (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)" "Prevented (Terminated The Session And Sent a TCP Reset To The Client)" "Prevented (Terminated The Session And Sent a TCP Reset To The Server)" "Prevented (Continue)" "Prevented (Block-Override)" "Prevented (Override-Lockout)" "Prevented (Override)" "Prevented (Random-Drop)" "Prevented (Silently Dropped The Session With An ICMP Unreachable Message To The Host Or Application)" "Prevented (Block)" "Detected (Allowed The Session)" "Detected (Raised An Alert)" "Detected (Syncookie Sent)" "Detected (Forward)" "Detected (Wildfire Upload Success)" "Detected (Wildfire Upload Failure)" "Detected (Wildfire Upload Skip)" "Detected (Sinkhole)".unknown
PaloAltoNetworksXDR.Incident.alerts.actor_process_image_nameImage name.unknown
PaloAltoNetworksXDR.Incident.alerts.actor_process_command_lineCommand line.unknown
PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_statusSignature status: "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash".unknown
PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_vendorSignature vendor name.unknown
PaloAltoNetworksXDR.Incident.alerts.action_process_image_sha256Image SHA256.unknown
PaloAltoNetworksXDR.Incident.alerts.is_whitelistedWhether the alert is on the allow list.unknown
PaloAltoNetworksXDR.Incident.network_artifacts.typeNetwork artifact type: "IP".unknown
PaloAltoNetworksXDR.Incident.network_artifacts.network_domainThe domain related to the artifact.unknown
PaloAltoNetworksXDR.Incident.network_artifacts.network_countryThe country related to the artifact.unknown
PaloAltoNetworksXDR.Incident.network_artifacts.network_remote_ipThe remote IP related to the artifact.unknown
PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_statusDigital signature status of the file: "SIGNATURE_UNAVAILABLE", "SIGNATURE_SIGNED", "SIGNATURE_INVALID", "SIGNATURE_UNSIGNED", "SIGNATURE_WEAK_HASH".unknown
PaloAltoNetworksXDR.Incident.file_artifacts.is_processWhether the file artifact is related to a process execution.unknown
PaloAltoNetworksXDR.Incident.file_artifacts.file_nameName of the file.unknown
PaloAltoNetworksXDR.Incident.file_artifacts.file_wildfire_verdictThe file verdict, calculated by Wildfire: "BENIGN", "MALWARE", "GRAYWARE", "PHISHING", "UNKNOWN".unknown
PaloAltoNetworksXDR.Incident.file_artifacts.is_maliciousWhether the artifact is malicious, decided by the Wildfire verdict.unknown
PaloAltoNetworksXDR.Incident.file_artifacts.typeThe artifact type: "META", "GID", "CID", "HASH", "IP", "DOMAIN", "REGISTRY", "HOSTNAME".unknown
PaloAltoNetworksXDR.Incident.file_artifacts.file_sha256SHA256 hash of the file.unknown
PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_vendor_nameFile signature vendor name.unknown
PortScan.BlockPortsIndicates whether there's a need to block the ports used for exploitation on the scanned host.unknown
PortScan.AttackerIPsAttacker IPs from the port scan alert.unknown
PortScan.AttackerHostnamesAttacker host names from the port scan alert.unknown
PortScan.AttackerUsernameAttacker user name from the port scan alert.unknown
PortScan.FileArtifactsFile artifacts from the port scan alert.unknown
PortScan.LateralMovementFirstDatetimeLateral movement first date time from the port scan alert.unknown
PortScan.PortScanFirstDatetimePort scan first date time.unknown
PaloAltoNetworksXDR.Incident.shouldRetrieveFileFiles hashes which are not present and were marked as "not retrieve" by the user.unknown

Playbook Image#

Cortex XDR Alerts Handling