* [Blog](https://www.paloaltonetworks.com/blog)
* [Security Operations](https://www.paloaltonetworks.com/blog/security-operations/)
* [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/)
* Playbook of the Week: Aut...

# Playbook of the Week: Automating Management of XDR Identity Analytics Alerts

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-automating-management-of-xdr-identity-analytics-alerts%2F)  
[](https://twitter.com/share?text=Playbook+of+the+Week%3A+Automating+Management+of+XDR+Identity+Analytics+Alerts&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-automating-management-of-xdr-identity-analytics-alerts%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-automating-management-of-xdr-identity-analytics-alerts%2F&title=Playbook+of+the+Week%3A+Automating+Management+of+XDR+Identity+Analytics+Alerts&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-management-of-xdr-identity-analytics-alerts/&ts=markdown)  
\[\](mailto:?subject=Playbook of the Week: Automating Management of XDR Identity Analytics Alerts)  
Link copied  
By [Omri Itzhak](https://www.paloaltonetworks.com/blog/author/omri-itzhak/?ts=markdown "Posts by Omri Itzhak")  
Mar 07, 2024  
5 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[playbook of the week](https://www.paloaltonetworks.com/blog/tag/playbook-of-the-week/?ts=markdown)  
[Security Orchestration Automation and Response](https://www.paloaltonetworks.com/blog/tag/security-orchestration-automation-and-response/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown)  
[XDR](https://www.paloaltonetworks.com/blog/tag/xdr/?ts=markdown)  
[XSOAR playbook](https://www.paloaltonetworks.com/blog/tag/xsoar-playbook/?ts=markdown)

## **Introduction**

Identity analytics is a critical cybersecurity tool in combating the challenges posed by compromised user accounts and malicious insiders. Identity threats are pervasive across organizations of all sizes and industries, potentially exposing sensitive information to security breaches. Compromised credentials, especially on privileged accounts, pose significant risks, particularly in environments where the principles of least privilege are not strictly enforced.

Identity analytics leverages an analytics engine to analyze logs and data from various sensors, to establish what is considered normal behavior across an organization. By establishing a baseline, abnormal activities such as stolen or misused credentials, lateral movement, credential harvesting, or exfiltration can be detected. Cortex XDR utilizes identity analytics to investigate suspicious user activity - aggregating and displaying user profile information, activity, and incidents associated with user-based analytics alerts and BIOC rules. This approach enhances threat detection capabilities, providing organizations with the necessary insights to mitigate risks effectively.

To handle the Cortex XDR Identity Analytics alerts, we created the '[Cortex XDR Identity Analytics](https://xsoar.pan.dev/docs/reference/playbooks/cortex-xdr---identity-analytics)' playbook. This playbook enables complete automation of enrichment, investigation, and response processes for handling Cortex XDR Identity Analytics alerts.

In addition to the playbook, we created a layout that presents all the alert details and necessary data to the analysts.

## **The Layout**

Within this playbook, a comprehensive layout presents the analyst with all the relevant details required for investigating and resolving the incident.

Under the '**Identity Analytics** ' tab, there's vital information about the alert, including alert specifics, user data, IP address details, and thorough investigation insights. This encompasses the investigation verdict, a concise summary of the findings leading to the severity determination, and any Cortex XDR-related alerts tied to [MITRE tactics](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-techniques?ts=markdown) executed by the user. Furthermore, the layout incorporates buttons to facilitate quick response actions related to the alert, such as user disabling or clearing/revoking the user's sessions.
![Fig 1: Layout - Identity Analytics tab](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/03/word-image-315509-1.png)
Fig 1: Layout - Identity Analytics tab

### **What Does the Playbook Do?**

**Enrichment**

The initial phase of the playbook encompasses essential tasks aimed at identifying and mitigating potential threats. To accomplish this, the playbook initiates indicator enrichment to gather pertinent details on the IP address associated with the potential threat. It consolidates data and reputation insights from all accessible and configured IP enrichment sources. Furthermore, the playbook enhances user information by aggregating data from all accessible and configured internal user management systems using the '[Account Enrichment - Generic v2.1](https://xsoar.pan.dev/docs/reference/playbooks/account-enrichment---generic-v21)' sub-playbook and '[Cloud IAM Enrichment - Generic](https://xsoar.pan.dev/docs/reference/playbooks/cloud-iam-enrichment---generic)' sub-playbook.
![Fig 2: Enrichment workflow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/03/word-image-315509-2.png)
Fig 2: Enrichment workflow

**Verdict**

The playbook establishes a severity verdict by evaluating indicator enrichment data and user risk level data from the [Cortex XDR ITDR module](https://www.paloaltonetworks.co.uk/resources/techbriefs/identity-threat-detection-and-response-module). If the IP reputation is poor or the user risk level is high, the verdict is classified as malicious, and the playbook will perform remediation action to block the attack. Otherwise, the playbook will proceed to the investigation phase to gather additional findings regarding the user activity.
![Fig 3: Verdict and Investigation workflow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/03/word-image-315509-3.png)
Fig 3: Verdict and Investigation workflow

**Investigation**

The investigation workflow focuses on user activity, to uncover any suspicious behavior that could indicate malicious activity. To achieve this, the playbook utilizes the following sub-playbooks to pull user activity data from various sources:

1. [Okta - User Investigation](https://xsoar.pan.dev/docs/reference/playbooks/okta---user-investigation): Okta serves as one of the log sources for identity analytics alerts. This sub-playbook extracts additional information about the user from Okta, enabling the identification of malicious user activities such as script-based user agents, the frequency of failed logins, and other suspicious behaviors.
2. [Azure - User Investigation](https://xsoar.pan.dev/docs/reference/playbooks/azure---user-investigation): Similar to Okta, the Azure Event Hub is a crucial log source for identity analytics alerts. This sub-playbook utilizes Azure data to uncover malicious user activities, including script-based user agents, failed login attempts, and other suspicious patterns.
3. [Cortex XDR - Get entity alerts by MITRE tactics](https://xsoar.pan.dev/docs/reference/playbooks/cortex-xdr---get-entity-alerts-by-mitre-tactics): The playbook also uses this sub-playbook to search for XDR-related alerts. This sub-playbook focuses on MITRE ATT\&CK tactics to identify any malicious activities performed by the user.

Following the investigation, the playbook determines the verdict. If the verdict indicates malicious activity, the playbook initiates remediation actions to block the attack. However, if the verdict is inconclusive based on the enrichment and investigation tasks, further analysis by an analyst is required to determine the incident's malicious nature. This analysis involves reviewing all the details collected by the playbook and presented in the layout.

**Response Actions**

The response actions are initiated only when the verdict is determined to be malicious. The playbook executes remediation steps, including blocking the identified malicious IP address using the sub-playbook '[Block IP - Generic v3](https://xsoar.pan.dev/docs/reference/playbooks/block-ip---generic-v3)'. It also clears the user session in Okta, revokes the user session in Azure, and enforces re-authentication via MFA. By default, the playbook revokes sessions in Azure. However, by adjusting a specific playbook input, it can also reset the user's password on Azure using the sub-playbook '[Cloud Credentials Rotation - Azure](https://xsoar.pan.dev/docs/reference/playbooks/cloud-credentials-rotation---azure)'.
![Fig 4: Response workflow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/03/word-image-315509-4.png)
Fig 4: Response workflow

### **Conclusion**

Analysts can be more effective in handling identity threats with the help of the Cortex XDR Identity Analytics playbook, which streamlines the response to attacks caused by compromised user accounts and malicious insiders. With identity analytics, analysts gain clarity on security alerts, and this new playbook simplifies the response process with a user-friendly layout and action buttons.

Curious about what our users automate most often and not sure where to start? Listen to our [on-demand webinar](https://start.paloaltonetworks.com/secops-automation-deep-dive) where XSOAR deployment experts walk you through the process we share with our own customers.

*** ** * ** ***

## Related Blogs

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating Response to Living-Off-the-Land (LOTL) Attacks](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-response-to-living-off-the-land-lotl-attacks/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Uncovering Unknown Malware Using SSDeep](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-uncovering-unknown-malware-using-ssdeep/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating Cortex XDR Investigation and Response](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-cortex-xdr-investigation-and-response/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### An Automated Response to Malicious Pod Activity](https://www.paloaltonetworks.com/blog/security-operations/an-automated-response-to-malicious-pod-activity/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Rapid Response for Fighting Ursa Phishing Campaign](https://www.paloaltonetworks.com/blog/security-operations/rapid-response-for-fighting-ursa-phishing-campaign/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Prisma Cloud Compute - Compliance Alert v2](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-prisma-cloud-compute-compliance-alert-v2/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language