This blog was written by Omri Itzhak.
Introduction
In today's increasingly complex digital landscape, user and entity behavior analytics (UEBA) has emerged as a crucial tool for organizations looking to enhance their cybersecurity capabilities. UEBA allows organizations to monitor and analyze user and entity activity within their network, and detect suspicious behavior that could indicate a potential cyber attack. One specific type of threat that UEBA can help detect is the first single sign on (SSO) access from a new Autonomous System Number (ASN) or from a new country. With SSO, users sign in once to gain access to multiple applications or services.
Attackers often use this method to gain unauthorized access to an organization's network, which can have significant consequences for the organization's security and reputation.
With the Cortex XDR - First SSO Access playbook, enrichment, investigation, and response can be fully automated to handle these alerts:
Indicator Enrichment
The first stage of the playbook includes critical steps for identifying and addressing potential threats. To achieve this, the playbook performs indicator enrichment to gather information related to the IP address associated with a potential threat. Data and reputation information is gathered from all available and configured IP enrichment sources. Additionally, the playbook enriches the information on the user by gathering data from all available and configured internal user management systems.
Initial Containment
Based on the IP reputation score, XSOAR will execute an initial automated, or semi-automated response by clearing all sessions associated with the compromised user, and require the user to re-authenticate using multi-factor authentication.
Investigation
The next stage includes performing an investigation and exploring the following investigation criteria:
Verdict Decision
The next stage is to set the alert’s verdict using the Cortex XDR - First SSO Access - Set Verdict sub-playbook to perform various checks based on the enrichment and investigation data.
The verdict is set according to the number of positive results from these checks. The threshold for the number of positive results can be adjusted by changing the threshold value of the playbook’s input.
Verdict Resolution
If the verdict is determined to be non-malicious, the incident will be considered a false positive and subsequently closed. If the verdict is determined to be suspicious, it will require manual intervention by an analyst. Additionally, there is an option to automatically request confirmation from the user's manager regarding any suspicious activities, such as verifying if it's reasonable for the user to connect from a specific country. The manager's confirmation can aid the analyst in determining whether the incident is a true or false positive.
If the verdict is determined to be malicious, the next stage will involve performing response actions.
Response Actions
When the final verdict is determined to be malicious, the playbook will initiate the following automated or semi-automated response procedures:
The layout created for this alert provides detailed incident views to aid analysts in furthering their investigation. The layout tab contains the following useful information:
It is essential to monitor and respond to UEBA alerts in your organization. Using the Cortex XDR - First SSO Access playbook decreases the response time and improves the effectiveness of security operations for these use cases. This playbook is part of the Cortex XDR content pack.
Don’t have Cortex XSOAR? Download our free Community Edition today to test out this playbook and hundreds more automation packs for common use cases you deal with daily in your security operations or SOC.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 5 Likes | |
| 3 Likes | |
| 3 Likes | |
| 3 Likes | |
| 3 Likes |
| User | Likes Count |
|---|---|
| 13 | |
| 4 | |
| 3 | |
| 3 | |
| 2 |
