Skip to main content

User Investigation - Generic

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook performs an investigation on a specific user, using queries and logs from SIEM, Identity management systems, XDR, and firewalls.

Supported Integrations: -Okta -Splunk -QRadar -Azure Log Analytics -PAN-OS -XDR / Core By Palo Alto Networks.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Get entity alerts by MITRE tactics
  • Okta - User Investigation
  • SIEM - Search for Failed logins
  • Cortex XDR - Get entity alerts by MITRE tactics

Integrations#

This playbook does not use any integrations.

Scripts#

  • Set
  • CountArraySize
  • SetAndHandleEmpty
  • MathUtil

Commands#

  • pan-os-query-logs
  • pan-os-get-logs

Playbook Inputs#


NameDescriptionDefault ValueRequired
SplunkIndexSplunk's index name in which to search. Default is "*" - All.*Optional
SplunkEarliestTimeThe earliest time for the Splunk search query.-1dOptional
SplunkLatestTimeThe latest time for the Splunk search query.nowOptional
UserEmailThe user email to search Okta logs.Optional
UsernameUser name.Optional
LoginCountryThe Country from which the user logged in.Optional
SIEMFailedLogonSearchWhether to search for failed logon logs from Siem? Can be False or True.TrueOptional
ThreatLogSearchWhether to search for threat logs from PAN-OS? Can be False or True.TrueOptional
XDRAlertSearchWhether to search for Related alerts from XDR? Can be False or True.TrueOptional
OktaSearchWhether to search for logs from Okta? Can be False or True.TrueOptional
XDRUsernameFieldCortex XDR User name Field.actor_effective_usernameOptional
QRadarSearchTimeThe Search Time for the QRadar search query. for example: Last 1 daysLast 1 daysOptional
AzureSearchTimeThe Search Time for the Azure Log Analytics search query. for example: ago(1d)ago(1d)Optional
ASNThe ASN from which the user logged in.Optional

Playbook Outputs#


PathDescriptionType
NumOfSiemFailedLogonNumber of failed login from Siem.unknown
NumOfThreatLogsNumber of Threat Logs for the user from Panorama.unknown
PaloAltoNetworksXDR.AlertXDR Alerts.unknown
ArraySizeNumber of XDR alert for the user.unknown
PermanentCountryTrue if the user work from a permanent country from Okta. False if else.unknown
UserDevicesDevices used by the user from Okta.unknown
NumOfOktaSuspiciousActivitiesNumber of Suspicious Activities for the user from Okta.unknown
SuspiciousUserActivitiesSuspicious Activities for the user from Okta.unknown
NumOfOktaSuspiciousUserAgentNumber of Suspicious User Agent from Okta.unknown
SuspiciousUserAgentSuspicious User Agent from Okta.unknown
UserApplicationApplications used by the user from Okta.unknown
NumOfOktaFailedLogonNumber of failed login from Okta.unknown
AzureFailedLogonLogsThe result of the Azure Log Analytics search.unknown
QRadar.Search.ResultThe result of the QRadar search.unknown
Splunk.ResultThe results of the Splunk search. The results are a JSON array, in which each item is a Splunk event.unknown
NumOfFailedLogonNumber of failed login.unknown
NumOfFailedLogonASNNumber of failed login from ASN by all users.unknown

Playbook Image#


User Investigation - Generic