Successful guest user invitation

Supported Cortex XSOAR versions: 6.10.0 and later.

This playbook addresses the following alert:

Playbook Stages:

Triage:

Investigation:

Check IOCs Reputation:
- Analyze the reputation of IP addresses, email addresses, and domains related to the incident.
Check for Azure Alerts:
- Retrieve user Principal Name (UPN).
- Extract recent Azure security alerts for the inviting user.
Check if User is Risky:
- Assess the risk score of the inviting user based on Core and Azure risk indicators.
- Investigate reasons behind any identified risks, including recent detections.

Containment:

Provide a manual task for an analyst to review the findings and decide the next steps.
Possible actions:
- Disable the invited user.
- Disable the inviting user.
- Disable both users.
- Take no action.
If users are disabled, revoke their active sessions to ensure immediate containment.

Requirements: For the best results, it's recommended to ensure these integrations are configured and working:

Cortex Core - Investigation and Response for Core user risk evaluation.
Azure Risky Users for retrieving user risk scores.
Microsoft 365 Defender for advanced hunting queries and Azure security alerts.
Microsoft Graph User for disabling accounts and revoking sessions.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

This playbook does not use any sub-playbooks.

This playbook does not use any integrations.

There are no inputs for this playbook.

There are no outputs for this playbook.

Successful guest user invitation