Skip to main content

Handle Shadow IT Incident

This Playbook is part of the Shadow IT Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook is used to handle a Shadow IT incident. A Shadow IT incident occurs when a resource attributed to the organization that is not sanctioned by IT nor protected by the InfoSec team is found.

This playbook handles the incident by helping the analyst find the owner of the resource based on existing evidence. The playbook also marks the service indicators (IP or FQDN) with a Shadow IT tag. The possible owner and their manager are notified and onboarding of the asset on Prisma Cloud is triggered through a manual process. Supported Cortex XSOAR versions: 6.0.0 and later.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Active Directory - Get User Manager Details


This playbook does not use any integrations.


This playbook does not use any scripts.


  • setIncident
  • findIndicators
  • send-mail
  • appendIndicatorField

Playbook Inputs#

NameDescriptionDefault ValueRequired
Notify ManagerNotify user's managerYesOptional
ShadowITIndicatorTagsTags to add to indicators to identify potential Shadow IT assetsShadowITOptional
ManagerNotificationSubjectPrefixThis input is added as prefix to the owner name to build the subject of the email sent to the owner's manager.Shadow IT asset detected - owned byOptional
ManagerNotificationBodyBody of the email to send to the owner's manager.Dear ${UserManagerDisplayName},

we detected a Shadow IT service for User ${incident.shadowitaccountownername} who, according to the Company's directory, directly reports to you.

The service is: ${incident.shadowitip}:${incident.shadowitport} (FQDN: ${incident.shadowitfqdn}), please work with your team and us to resolve this issue.

Best regards,

InfoSec team

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Handle Shadow IT Incident