Access Investigation - Generic

This playbook investigates an access incident by gathering user and IP information.

The playbook then interacts with the user that triggered the incident to confirm whether or not they initiated the access action.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • Active Directory - Get User Manager Details
  • Account Enrichment - Generic v2.1
  • IP Enrichment - Generic v2

Integrations

This playbook does not use any integrations.

Scripts

  • AssignAnalystToIncident
  • EmailAskUser

Commands

  • closeInvestigation
  • setIncident

Playbook Inputs


NameDescriptionDefault ValueRequired
SrcIPThe source IP address from which the incident originated.incident.srcOptional
DstIPThe target IP address that was accessed.incident.destOptional
UsernameThe username of the account that was used to access the DstIP.incident.srcuserOptional
RoleThe default role to assign the incident to.AdministratorRequired
OnCallSet to true to assign only the users that are currently on shift. Requires Cortex XSOAR v5.5 or later.falseOptional

Playbook Outputs


PathDescriptionType
Account.Email.AddressThe email address object associated with the Accountstring
DBotScoreIndicator, Score, Type, Vendorunknown
Account.IDThe unique Account DN (Distinguished Name)string
Account.UsernameThe Account usernamestring
Account.EmailThe email address associated with the Accountunknown
Account.TypeType of the Account entitystring
Account.GroupsThe groups the Account is part ofunknown
AccountAccount objectunknown
Account.DisplayNameThe Account display namestring
Account.ManagerThe Account's managerstring
DBotScore.IndicatorThe indicator valuestring
DBotScore.TypeThe indicator's typestring
DBotScore.VendorThe indicator's vendorstring
DBotScore.ScoreThe indicator's scorenumber
IPThe IP objectsunknown
EndpointThe Endpoint's objectunknown
Endpoint.HostnameThe hostname to enrichstring
Endpoint.OSEndpoint OSstring
Endpoint.IPList of endpoint IP addressesunknown
Endpoint.MACList of endpoint MAC addressesunknown
Endpoint.DomainEndpoint domain namestring

Playbook Image


Access