Skip to main content

JOB - Cortex XDR query endpoint device control violations

This Playbook is part of the Palo Alto Networks Cortex XDR - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

A job to periodically query Cortex XDR device control violations by a given timestamp in a relative date playbook input. The collected data, if found, will be generated for a new incident. You can configure the created new incident type in the playbook input and use the XDR Device Control Violations incident type to associate it with the response playbook. The job includes an incident type with a dedicated layout to visualize the collected data. To configure the job correctly:

  1. Create a new recurring job.
  2. Configure the recurring schedule.
  3. Add a name.
  4. Configure the type to XDR Device Control Violations.
  5. Configure this playbook as the job playbook. The scheduled run time and the timestamp relative date should be identical. If the job recurs every 7 days, the timestamp should be 7 days as well.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

  • CortexXDRIR

Scripts#

  • SetGridField

Commands#

  • closeInvestigation
  • createNewIncident
  • setIncident
  • xdr-get-endpoint-device-control-violations

Playbook Inputs#


NameDescriptionDefault ValueRequired
TimeStampTimestamp in relative date format for query device control events
from Cortex XDR.
For example "1 day", "3 weeks".
Optional
SeverityThe severity of the created incident when the device control events were found.
Valid values are;
0 - Unknown
0.5 - Informational
1 - Low
2 - Medium
3 - High
4 - Critical
1Optional
IncidentTypeThe desired incident type for the created incident when the device control violations were found.Cortex XDR Device Control ViolationsOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


JOB - Cortex XDR query endpoint device control violations