Skip to main content

Cortex XDR Alerts Handling v2

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories:

  • Malware
  • Port Scan
  • Cloud Cryptojacking
  • Cloud Token Theft
  • RDP Brute-Force
  • First SSO Access
  • Cloud IAM User Access Investigation
  • Identity Analytics


This playbook uses the following sub-playbooks, integrations, and scripts.


  • GenericPolling
  • Cortex XDR - Possible External RDP Brute-Force
  • Cortex XDR - XCloud Cryptojacking
  • Cortex XDR - Port Scan - Adjusted
  • Cortex XDR - First SSO Access
  • Cortex XDR - XCloud Token Theft Response
  • Cortex XDR Remote PsExec with LOLBIN command execution alert
  • Cortex XDR - Cloud IAM User Access Investigation
  • Cortex XDR - Large Upload
  • Cortex XDR - Cloud Data Exfiltration Response
  • Cortex XDR - Malware Investigation
  • Cortex XDR - Identity Analytics


This playbook does not use any integrations.


This playbook does not use any scripts.


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
incident_idIncident ID.PaloAltoNetworksXDR.Incident.incident_idOptional
alert_idAlert ID.PaloAltoNetworksXDR.Incident.alerts.alert_idOptional
InternalIPRangesA list of IP ranges to check the IP against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: ",," (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).lists.PrivateIPsOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Cortex XDR Alerts Handling v2