JOB - Cortex XDR query endpoint device control violations
This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#
Supported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
A job to periodically query Cortex XDR device control violations by a given timestamp in a relative date playbook input. The collected data, if found, will be generated for a new incident. You can configure the created new incident type in the playbook input and use the XDR Device Control Violations incident type to associate it with the response playbook. The job includes an incident type with a dedicated layout to visualize the collected data. To configure the job correctly:
- Create a new recurring job.
- Configure the recurring schedule.
- Add a name.
- Configure the type to XDR Device Control Violations.
- Configure this playbook as the job playbook. The scheduled run time and the timestamp relative date should be identical. If the job recurs every 7 days, the timestamp should be 7 days as well.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
This playbook does not use any sub-playbooks.
Integrations#
- CortexXDRIR
Scripts#
- SetGridField
Commands#
- closeInvestigation
- createNewIncident
- setIncident
- xdr-get-endpoint-device-control-violations
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| TimeStamp | Timestamp in relative date format for query device control events from Cortex XDR. For example "1 day", "3 weeks". | Optional | |
| Severity | The severity of the created incident when the device control events were found. Valid values are; 0 - Unknown 0.5 - Informational 1 - Low 2 - Medium 3 - High 4 - Critical | 1 | Optional |
| IncidentType | The desired incident type for the created incident when the device control violations were found. | Cortex XDR Device Control Violations | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
