JOB - Cortex XDR query endpoint device control violations

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

A job to periodically query Cortex XDR device control violations by a given timestamp in a relative date playbook input. The collected data, if found, will be generated for a new incident. You can configure the created new incident type in the playbook input and use the XDR Device Control Violations incident type to associate it with the response playbook. The job includes an incident type with a dedicated layout to visualize the collected data. To configure the job correctly:

  1. Create a new recurring job.
  2. Configure the recurring schedule.
  3. Add a name.
  4. Configure the type to XDR Device Control Violations.
  5. Configure this playbook as the job playbook. The scheduled run time and the timestamp relative date should be identical. If the job recurs every 7 days, the timestamp should be 7 days as well.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

This playbook does not use any sub-playbooks.

Integrations

  • CortexXDRIR

Scripts

  • SetGridField

Commands

  • closeInvestigation
  • createNewIncident
  • setIncident
  • xdr-get-endpoint-device-control-violations

Playbook Inputs


NameDescriptionDefault ValueRequired
TimeStampTimestamp in relative date format for query device control events
from Cortex XDR.
For example "1 day", "3 weeks".
Optional
SeverityThe severity of the created incident when the device control events were found.
Valid values are;
0 - Unknown
0.5 - Informational
1 - Low
2 - Medium
3 - High
4 - Critical
1Optional
IncidentTypeThe desired incident type for the created incident when the device control violations were found.Cortex XDR Device Control ViolationsOptional

Playbook Outputs


There are no outputs for this playbook.

Playbook Image


JOB - Cortex XDR query endpoint device control violations