JOB - Cortex XDR query endpoint device control violations
Cortex XDR by Palo Alto Networks Pack.#This Playbook is part of the
Supported Cortex XSOAR versions: 5.5.0 and later.
A job to periodically query Cortex XDR device control violations by a given timestamp in a relative date playbook input. The collected data, if found, will be generated for a new incident. You can configure the created new incident type in the playbook input and use the XDR Device Control Violations incident type to associate it with the response playbook. The job includes an incident type with a dedicated layout to visualize the collected data. To configure the job correctly:
- Create a new recurring job.
- Configure the recurring schedule.
- Add a name.
- Configure the type to XDR Device Control Violations.
- Configure this playbook as the job playbook. The scheduled run time and the timestamp relative date should be identical. If the job recurs every 7 days, the timestamp should be 7 days as well.
This playbook uses the following sub-playbooks, integrations, and scripts.
This playbook does not use any sub-playbooks.
|TimeStamp||Timestamp in relative date format for query device control events|
from Cortex XDR.
For example "1 day", "3 weeks".
|Severity||The severity of the created incident when the device control events were found.|
Valid values are;
0 - Unknown
0.5 - Informational
1 - Low
2 - Medium
3 - High
4 - Critical
|IncidentType||The desired incident type for the created incident when the device control violations were found.||Cortex XDR Device Control Violations||Optional|
There are no outputs for this playbook.