Intense SSO failures with suspicious characteristics
#
This Playbook is part of the Cortex Response And Remediation Pack.Supported versions
Supported Cortex XSOAR versions: 8.9.0 and later.
This playbook addresses the following alert:
- Intense SSO failures with suspicious characteristics.
Playbook Stages:
Triage:
- Collect additional alert data.
- Retrieve IP reputation.
- Analyze identity count and IP reputation:
- If failures involve many users and the IP is not malicious, the alert is likely a false positive and will be closed automatically.
Investigation:
- Identify users with successful logins.
- Check risk indicators for affected users.
- Search for related alerts.
- Analyze authentication patterns for automation.
- Retrieve Azure and Core risk scores.
- Extract security alerts linked to affected users.
- Check for Suspicious Evidence, including:
- Blocked sign-ins from a malicious IP.
- Related security incidents and high-risk IP reputation.
- Risk detections from Azure and Core.
- Suspicious authentication targeting admin portals (e.g., Azure Portal, Exchange Admin, Microsoft 365 Admin).
- The number of distinct identities involved.
Containment:
- Automatic Actions:
- If strong indicators of compromise exist, clear active user sessions.
- Analyst Review:
- Findings are presented for review.
- If user disablement is required, the analyst can select users to disable in Azure AD.
- If a user is disabled, the playbook will also clear their active sessions.
Requirements: Ensure the following integrations are configured:
- Microsoft Graph Identity for Conditional Access and risk scores.
- Microsoft Defender for Identity for authentication analysis.
- Core for user risk evaluation and alert correlation.
- Threat Intelligence Integrations for IP reputation analysis.
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooks- Containment Plan - Clear User Sessions
#
IntegrationsThis playbook does not use any integrations.
#
Scripts- AnalyzeTimestampIntervals
- GetTime
- SearchAlertsV2
- SetAndHandleEmpty
#
Commands- azure-risky-users-list
- azure-risky-users-risk-detections-list
- closeInvestigation
- core-get-cloud-original-alerts
- core-list-risky-users
- ip
- microsoft-365-defender-advanced-hunting
- msgraph-user-account-disable
#
Playbook InputsThere are no inputs for this playbook.
#
Playbook OutputsThere are no outputs for this playbook.