Skip to main content

Cortex XDR Lite - Incident Handling

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

The Cortex XDR Lite - Incident Handling playbook is triggered by fetching a Palo Alto Networks Cortex XDR incident and executes the following:


  • Enriches all the indicators from XDR incidents and alerts, providing additional context and information about these indicators.


  • Checks for related XDR alerts to the user and the endpoint by Mitre tactics to identify malicious activity.
  • Checks for specific arguments for malicious usage from the command line.


  • Determines the incident's verdict by considering indicator enrichment results, user and host risk levels, command line analysis, and the number of related XDR alerts (medium severity or higher) to the user and the endpoint by Mitre tactics.

Verdict Handling:

  • Handles malicious incidents by initiating appropriate response actions, including blocking malicious indicators, isolating endpoints, and disabling user accounts.

To utilize this playbook as the default for handling XDR incidents, the classifier should be empty, and the selected incident type should be Cortex XDR - Lite. The selected Mapper (incoming) should be XDR - Incoming Mapper, and the selected Mapper (outgoing) should be Cortex XDR - Outgoing Mapper.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Cortex XDR - Isolate Endpoint
  • Block Indicators - Generic v3
  • Command-Line Analysis
  • Entity Enrichment - Generic v3
  • Cortex XDR - Get entity alerts by MITRE tactics


  • CortexXDRIR
  • Cortex XDR - IR


  • Set
  • SetAndHandleEmpty


  • xdr-get-incident-extra-data
  • xdr-update-incident

Playbook Inputs#

NameDescriptionDefault ValueRequired
incident_idIncident ID.incident.xdrincidentidOptional
EndpointIDXDR endpoint ID.PaloAltoNetworksXDR.Incident.alerts.endpoint_idOptional
XDRDomainXDR instance domain.incident.xdrurlOptional
InternalRangeThis input is used in the "Entity Enrichment - Generic v3" playbook.
A list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, ",," (without quotes).
XDRRelatedAlertsThresholdThis is the minimum threshold for XDR-related alerts of medium severity or higher, based on MITRE tactics used to identify malicious activity on the endpoint and by the user.
Example: If this input is set to '5' and it detects '6' XDR-related alerts, it will classify this check as indicating malicious activity.
The default value is '5'.
AutoBlockIndicatorsPossible values: True/False. Default: True.
Should the given indicators be automatically blocked, or should the user be given the option to choose?

If set to False - no prompt will appear, and all provided indicators will be blocked automatically.
If set to True - the user will be prompted to select which indicators to block.
AutoIsolateEndpointWhether to isolate the endpoint automatically.FalseOptional
UserVerificationPossible values: True/False. Default: False.
Whether to provide user verification for blocking IPs.

False - No prompt will be displayed to the user.
True - The server will ask the user for blocking verification and will display the blocking list.

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Cortex XDR Lite - Incident Handling