* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Playbook of the Week](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/)
* Automating Response to Un...

# Automating Response to Unauthorized User Account Creation

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomating-response-to-unauthorized-user-account-creation%2F)  
[](https://twitter.com/share?text=Automating+Response+to+Unauthorized+User+Account+Creation&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomating-response-to-unauthorized-user-account-creation%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomating-response-to-unauthorized-user-account-creation%2F&title=Automating+Response+to+Unauthorized+User+Account+Creation&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/automating-response-to-unauthorized-user-account-creation/&ts=markdown)  
\[\](mailto:?subject=Automating Response to Unauthorized User Account Creation)  
Link copied  
By [Ido Van Dijk](https://www.paloaltonetworks.com/blog/author/ido-van-dijk/?ts=markdown "Posts by Ido Van Dijk")  
Feb 20, 2025  
3 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Cortex XSIAM](https://www.paloaltonetworks.com/blog/tag/cortex-xsiam/?ts=markdown)  
[IAM](https://www.paloaltonetworks.com/blog/tag/iam/?ts=markdown)  
[Security Automation](https://www.paloaltonetworks.com/blog/tag/security-automation/?ts=markdown)  
[user accounts](https://www.paloaltonetworks.com/blog/tag/user-accounts/?ts=markdown)

## Introduction

Hidden user accounts can be a significant security risk, as attackers often create them to establish persistence within an environment. These accounts may be used to escalate privileges, execute malicious activities, or evade detection. To combat this threat, Cortex XSIAM's Response and Remediation Pack includes the [Suspicious Hidden User Created playbook](https://xsoar.pan.dev/docs/reference/playbooks/suspicious-hidden-user-created), designed to identify, investigate, and remediate unauthorized hidden user account creation.

### Threat Overview

The creation of hidden user accounts is a known tactic used by adversaries to maintain access to an organization's infrastructure. Such accounts may be configured with privileges that allow them to bypass security policies, making them difficult to detect through conventional monitoring tools.

This playbook responds to the following alert:

* Suspicious Hidden User Created

### Purpose of the Playbook

The Suspicious Hidden User Created playbook is designed to streamline incident response for potential unauthorized account creation by:

* Retrieving event details related to the created user.
* Determining whether the user is local or domain-based.
* Fetching Active Directory (AD) attributes and checking password expiration state for domain users.
* Running PowerShell commands to verify the local user's password expiration state.
* Evaluating the risk level of the affected host using advanced AI logic.
* Identifying related alerts involving suspicious script execution.
* Providing remediation recommendations, including disabling the hidden user and terminating associated malicious processes.

### Stages of the Playbook

#### **Triage**

* The playbook retrieves key information about the created user account from event logs.

#### **Investigation**

* User Type Identification: Determines whether the suspicious account is a domain user or a local user.
* For Domain Users:
  * Retrieves Active Directory attributes, including password expiration status.
* For Local Users:
  * Executes a PowerShell command to check if the password expiration policy is configured.
* Host Risk Assessment: Analyzes the risk level of the machine where the user was created using advanced AI logic.
* Related Alert Correlation: Searches for additional indicators of compromise, such as script execution activities that could signal malicious behavior.

![Fig 1: Segment of playbook showcasing automated investigation actions related to host, alert, and user checks.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/02/word-image-335279-1.png)
Fig 1: Segment of playbook showcasing automated investigation actions related to host, alert, and user checks.

#### **Containment**

* If the alert is confirmed as a true positive, the playbook suggests disabling the hidden user account.
* Upon analyst approval, the playbook:
  * Disables the user (whether domain or local).
  * If a related alert identifies malicious script execution, the playbook terminates the Causality Group Owner (CGO) process responsible for creating the account.

![Fig 2: Segment of playbook showcasing automated remediation steps for terminating processes or disabling users.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/02/word-image-335279-2.png)
Fig 2: Segment of playbook showcasing automated remediation steps for terminating processes or disabling users.

### Integration Requirements

To enable automated remediation, the following integrations must be active:

* Cortex Core - Investigation and Response (for alert analysis and process termination).
* Active Directory Query v2 (for domain user actions).

### Security Challenges Addressed

* Detecting Hidden Persistence: Automatically identifies unauthorized user account creation attempts.
* Reducing Manual Investigation Time: Provides analysts with structured data, including risk scores and related alerts.
* Immediate Containment Actions: Allows security teams to disable suspicious accounts and terminate malicious processes.
* Context-Enriched Decision Making: Correlates multiple signals to determine the likelihood of a compromised system.

### Conclusion

The Suspicious Hidden User Created playbook is a powerful tool for detecting and responding to unauthorized account creation attempts. By integrating Active Directory monitoring, behavioral risk analysis, and real-time containment actions, security teams can quickly neutralize threats and prevent persistent access by adversaries.

### Learn More

For a deeper dive into the Cortex XSIAM Response and Remediation Pack, check out the full documentation here:[Cortex Response and Remediation Pack](https://cortex.marketplace.pan.dev/marketplace/details/CortexResponseAndRemediation/).

*** ** * ** ***

## Related Blogs

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Creating an Automated Workflow for Account Lockout Resolution](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/creating-an-automated-workflow-for-account-lockout-resolution/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Automating Response to Unauthorized Scheduled Task Executions](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/automating-response-to-unauthorized-scheduled-task-executions/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Automating Response to Unauthorized Tor Logins](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/automating-response-to-unauthorized-tor-logins/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Automated Rapid Response to Suspicious Remote Scheduled Task Creation](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/automated-rapid-response-to-suspicious-remote-scheduled-task-creation/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Automate Response to Event Log Clearing Alerts with Cortex XSIAM](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/automate-response-to-event-log-clearing-alerts-with-cortex-xsiam/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Playbook of the Week: Cortex XSOAR Automated Identity Lifecycle Management](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-cortex-xsoar-automated-identity-lifecycle-management/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language