Skip to main content

Cortex XDR Alerts Handling v2

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories:

  • Malware
  • Port Scan
  • Cloud Cryptojacking
  • Cloud Token Theft
  • RDP Brute-Force
  • First SSO Access
  • Cloud IAM User Access Investigation
  • Identity Analytics

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • GenericPolling
  • Cortex XDR - First SSO Access
  • Cortex XDR - XCloud Cryptojacking
  • Cortex XDR - XCloud Token Theft Response
  • Cortex XDR - Port Scan - Adjusted
  • Cortex XDR - Cloud IAM User Access Investigation
  • Cortex XDR - Malware Investigation
  • Cortex XDR - Possible External RDP Brute-Force
  • Cortex XDR - Cloud Data Exfiltration Response
  • Cortex XDR Remote PsExec with LOLBIN command execution alert
  • Cortex XDR - Identity Analytics

Integrations#

This playbook does not use any integrations.

Scripts#

This playbook does not use any scripts.

Commands#

This playbook does not use any commands.

Playbook Inputs#


NameDescriptionDefault ValueRequired
incident_idIncident ID.PaloAltoNetworksXDR.Incident.incident_idOptional
alert_idAlert ID.PaloAltoNetworksXDR.Incident.alerts.alert_idOptional
InternalIPRangesA list of IP address ranges to check the IP address against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use the default list provided in the IsIPInRanges script (the known IPv4 private address ranges).lists.PrivateIPsOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Cortex XDR Alerts Handling v2