* [Blog](https://www.paloaltonetworks.com/blog)
* [Security Operations](https://www.paloaltonetworks.com/blog/security-operations/)
* [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/)
* Playbook of the Week: Unl...

# Playbook of the Week: Unleash the Power of Identity Threat Intelligence with Automation

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-itdr%2F)  
[](https://twitter.com/share?text=Playbook+of+the+Week%3A+Unleash+the+Power+of+Identity+Threat+Intelligence+with+Automation&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-itdr%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-itdr%2F&title=Playbook+of+the+Week%3A+Unleash+the+Power+of+Identity+Threat+Intelligence+with+Automation&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-itdr/&ts=markdown)  
\[\](mailto:?subject=Playbook of the Week: Unleash the Power of Identity Threat Intelligence with Automation)  
Link copied  
By [Ido Van Dijk](https://www.paloaltonetworks.com/blog/author/ido-van-dijk/?ts=markdown "Posts by Ido Van Dijk")  
Oct 24, 2023  
4 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[playbook of the week](https://www.paloaltonetworks.com/blog/tag/playbook-of-the-week/?ts=markdown)  
[Security Orchestration Automation and Response](https://www.paloaltonetworks.com/blog/tag/security-orchestration-automation-and-response/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown)  
[XSOAR playbook](https://www.paloaltonetworks.com/blog/tag/xsoar-playbook/?ts=markdown)

When it comes to detecting identity-related threats, security teams need to distinguish between suspicious but benign activity and truly malicious activity. This can be challenging as identity threats and malicious insider attacks are often carried out over an extended period of time, making them harder to detect with traditional detection engines. Moreover, to effectively identify the risks associated with identity threats, organizations need a clear view of the potential risks to make informed mitigation decisions.

Because of the nature of identity attacks, a reactive approach cannot work. Security operations must be proactive against identity-related threat vectors, such as compromised accounts and malicious insiders. This means leveraging the power of AI and automation for advanced detection capabilities that enable organizations to quickly identify, investigate, and ultimately respond to identity threats.

With the new [Cortex XDR Identity Threat Detection and Response (ITDR)](https://www.paloaltonetworks.com/resources/techbriefs/identity-threat-detection-and-response-module?ts=markdown) module integration built into our existing XSOAR playbooks, you will gain the ability to enrich your SOC incident data with valuable insights into user and host identity threats. This means that you can not only detect incidents, but also understand the nuances of the risks associated with each user and host, giving you a deeper understanding of the threat landscape.

These new capabilities have been added to the [Cortex XDR content pack](https://cortex.marketplace.pan.dev/marketplace/details/CortexXDR/), integrating the new Cortex XDR ITDR enhancements into the various stages of incident investigation, with alert playbooks, as well as general XDR incident playbooks.

Let's take a closer look at how these ITDR enhancements can help your security team in the case of an RDP brute-force incident. Firstly, the alert now includes identity threat data that is associated with users and hosts:

![Chart showing Playbook triggered, Analysis, Endpoint Enrichment, Account Enrichment.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/10/word-image-306875-1.png)

![Identity-rich threat data.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/10/word-image-306875-2.png)
Fig 1: Identity-rich threat data

Upon examining the various detectors, analysts can see that the user "administrator" received a high risk level due to multiple reasons. One of the reasons was that "Regsvr32" may have executed code from an untrusted source, among other alerts.

The playbook responsible for setting a verdict for RDP brute-force alerts checks data from several sources, including recent activity logs of the user, the reputation of the IP from which the attack originated, and now also verifies if the user or host are risky. Since both were found to be risky in this case, the playbook will treat this alert as malicious activity.
![Sub-playbook: Cortex XDR – Possible external RDP brute-force – set verdict](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/10/word-image-306875-3.png)
Fig 2: Set verdict tasks within playbook

By configuring the Critical Element input of the playbook, the alert can also now be automatically escalated based on the risk level associated with the host and user identities. As a result, communications can be set automatically to the impacted user to verify the activity mentioned. Upon receiving a reply that the user did not authorize it, the analyst can then direct the playbook to proceed with the remediation.
![Cortex XDR – Possible External RDP Brute-Force](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/10/word-image-306875-4.png)
Fig 3: User communications tasks in playbook

After blocking the user temporarily, the playbook provides analysts with the recommendation to isolate the endpoint due to its new identity risk.
![#457 Recommend isolation anyway.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/10/word-image-306875-5.png)
Fig 4: Endpoint isolation recommendation within playbook

After handling the specific alert in the alert playbooks, the work plan then proceeds to the XDR Incident Handling playbook. A new severity is calculated for the overall incident based on all the information from the incident and the specific alerts, including information based on the identity threats that were identified:
![Sub-playbook: calculate severity - generic v2](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/10/word-image-306875-6.png)
Fig 5: Incident level severity calculation

As the safety of both the user and host are of utmost importance, this incident was assigned a high severity rating. To enhance transparency and facilitate better decision-making, XSOAR has a new tab in the incident layout to provide detailed information on the risky assets involved in the incident.
![New layout window tab detailing risky assets involved in incident](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/10/word-image-306875-7.png)
Fig 6: New layout window tab detailing risky assets involved in incident

The newly added data at the alert level has led to the integration of various enhancements in alert-specific playbooks. Additionally, the improvements made at the XDR Incident Handling playbook level apply across all XDR incidents, regardless of the types of alerts they contain. This includes the enhancements to the default XDR incident layout window as shown above.

These updates are now available in XSOAR as part of the [Cortex XDR content pack](https://cortex.marketplace.pan.dev/marketplace/details/CortexXDR/) available via our [Cortex Marketplace.](https://cortex.marketplace.pan.dev/marketplace/)

Note: These enhancements will also be made available soon in Cortex XSIAM as part of the Core - Investigation and Response content pack.

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Streamlining the management of XDR Incidents](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-streamlining-the-management-of-xdr-incidents/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### An Automated Response to Malicious Pod Activity](https://www.paloaltonetworks.com/blog/security-operations/an-automated-response-to-malicious-pod-activity/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Rapid Response for Fighting Ursa Phishing Campaign](https://www.paloaltonetworks.com/blog/security-operations/rapid-response-for-fighting-ursa-phishing-campaign/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating Response to Living-Off-the-Land (LOTL) Attacks](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-response-to-living-off-the-land-lotl-attacks/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Prisma Cloud Compute - Compliance Alert v2](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-prisma-cloud-compute-compliance-alert-v2/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Streamlining Suspicious Data Upload Alert Investigations](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-streamlining-suspicious-data-upload-alert-investigations/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language