Skip to main content

Cortex XDR Lite - Incident Handling

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

The Cortex XDR Lite - Incident Handling playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident and executes the following:

Analysis:

  • Enriches all the indicators from XDR incidents and alerts, providing additional context and information about these indicators.

Investigation:

  • Checks for related XDR alerts to the user and the endpoint by Mitre tactics to identify malicious activity.
  • Checks for specific arguments for malicious usage from the command line.

Verdict:

  • Determines the incident's verdict by considering indicator enrichment results, user and host risk levels, command line analysis, and the number of related XDR alerts (medium severity or higher) to the user and the endpoint by Mitre tactics.

Verdict Handling:

  • Handles malicious incidents by initiating appropriate response actions, including blocking malicious indicators, isolating endpoints, and disabling user accounts.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Cortex XDR - Isolate Endpoint
  • Entity Enrichment - Generic v3
  • Command-Line Analysis
  • Block Indicators - Generic v3
  • Cortex XDR - Get entity alerts by MITRE tactics

Integrations#

  • Cortex XDR - IR
  • CortexXDRIR

Scripts#

  • Set
  • SetAndHandleEmpty

Commands#

  • xdr-get-incident-extra-data
  • xdr-update-incident

Playbook Inputs#


NameDescriptionDefault ValueRequired
incident_idIncident ID.incident.xdrincidentidOptional
EndpointIDXDR endpoint ID.PaloAltoNetworksXDR.Incident.alerts.endpoint_idOptional
HostnameHostname.PaloAltoNetworksXDR.Incident.alerts.host_nameOptional
UsernameUsername.PaloAltoNetworksXDR.Incident.alerts.user_nameOptional
AutoIsolateEndpointWhether to isolate the endpoint automatically.FalseOptional
AutoBlockIndicatorsPossible values: True/False. Default: True.
Should the given indicators be automatically blocked, or should the user be given the option to choose?

If set to False - no prompt will appear, and all provided indicators will be blocked automatically.
If set to True - the user will be prompted to select which indicators to block.
FalseOptional
UserVerificationPossible values: True/False. Default: False.
Whether to provide user verification for blocking IPs.

False - No prompt will be displayed to the user.
True - The server will ask the user for blocking verification and will display the blocking list.
FalseOptional
XDRRelatedAlertsThresholdThis is the minimum threshold for XDR-related alerts of medium severity or higher, based on MITRE tactics used to identify malicious activity on the endpoint and by the user.
Example: If this input is set to '5' and it detects '6' XDR-related alerts, it will classify this check as indicating malicious activity.
The default value is '5'.
5Optional
InternalRangeThis input is used in the "Entity Enrichment - Generic v3" playbook.
A list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges is: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, uses the default list provided in the IsIPInRanges script (the known IPv4 private address ranges).
172.16.0.0/12,10.0.0.0/8,192.168.0.0/16Optional
XDRDomainXDR instance domain.incident.xdrurlOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Cortex XDR Lite - Incident Handling