* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Playbook of the Week](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/)
* Playbook of the Week: Sus...

# Playbook of the Week: Suspicious SSO? Check It Out with XSOAR

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-suspicious-sso-check-it-out-with-xsoar%2F)  
[](https://twitter.com/share?text=Playbook+of+the+Week%3A+Suspicious+SSO%3F+Check+It+Out+with+XSOAR&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-suspicious-sso-check-it-out-with-xsoar%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-suspicious-sso-check-it-out-with-xsoar%2F&title=Playbook+of+the+Week%3A+Suspicious+SSO%3F+Check+It+Out+with+XSOAR&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-suspicious-sso-check-it-out-with-xsoar/&ts=markdown)  
\[\](mailto:?subject=Playbook of the Week: Suspicious SSO? Check It Out with XSOAR)  
Link copied  
By [Omri Itzhak](https://www.paloaltonetworks.com/blog/author/omri-itzhak/?ts=markdown "Posts by Omri Itzhak")  
May 25, 2023  
5 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Automation](https://www.paloaltonetworks.com/blog/tag/automation/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[security orchestration](https://www.paloaltonetworks.com/blog/tag/security-orchestration/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown)  
[SSO](https://www.paloaltonetworks.com/blog/tag/sso/?ts=markdown)  
[UEBA](https://www.paloaltonetworks.com/blog/tag/ueba/?ts=markdown)

**Introduction**

In today's increasingly complex digital landscape, user and entity behavior analytics (UEBA) has emerged as a crucial tool for organizations looking to enhance their cybersecurity capabilities. UEBA allows organizations to monitor and analyze user and entity activity within their network, and detect suspicious behavior that could indicate a potential cyber attack. One specific type of threat that UEBA can help detect is the first single sign on (SSO) access from a new Autonomous System Number (ASN) or from a new country. With SSO, users sign in once to gain access to multiple applications or services.

Attackers often use this method to gain unauthorized access to an organization's network, which can have significant consequences for the organization's security and reputation.

With the [Cortex XDR - First SSO Access](https://xsoar.pan.dev/docs/reference/playbooks/cortex-xdr---first-sso-access) playbook, enrichment, investigation, and response can be fully automated to handle these alerts:

* First SSO access from ASN in the organization.
* First SSO connection from a country in the organization.

![Cortex XSOAR \& Cortex XDR - UEBA alert response workflow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-295020-1.png)
Cortex XSOAR \& Cortex XDR - UEBA alert response workflow

### **What Does the Playbook Do?**

**Indicator Enrichment**

The first stage of the playbook includes critical steps for identifying and addressing potential threats. To achieve this, the playbook performs indicator enrichment to gather information related to the IP address associated with a potential threat. Data and reputation information is gathered from all available and configured IP enrichment sources. Additionally, the playbook enriches the information on the user by gathering data from all available and configured internal user management systems.

**Initial Containment**

Based on the IP reputation score, XSOAR will execute an initial automated, or semi-automated response by clearing all sessions associated with the compromised user, and require the user to re-authenticate using multi-factor authentication.
![Enrichment \& initial containment playbook workflow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-295020-2.png)
Enrichment \& initial containment playbook workflow

**Investigation**

The next stage includes performing an investigation and exploring the following investigation criteria:

* Use the [User Investigation - Generic](https://xsoar.pan.dev/docs/reference/playbooks/user-investigation---generic) sub-playbook to provide a comprehensive view of the potential threat by searching for:
  * Suspicious user activities using SIEM and Okta queries
  * Related alerts and user activities based on MITRE ATT\&CK tactics via the XDR integration
* Use the [TIM - Indicator Relationships Analysis](https://xsoar.pan.dev/docs/reference/playbooks/tim---indicator-relationships-analysis) sub-playbook to check insights and identify any indicators of compromise (IOCs) from threat feeds, and to provide notice in case there are related TIM campaigns associated with the user's IP address.

![Investigation phase of playbook](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-295020-3.png)
Investigation phase of playbook

**Verdict Decision**

The next stage is to set the alert's verdict using the [Cortex XDR - First SSO Access - Set Verdict](https://xsoar.pan.dev/docs/reference/playbooks/cortex-xdr---first-sso-access---set-verdict) sub-playbook to perform various checks based on the enrichment and investigation data.

The verdict is set according to the number of positive results from these checks. The threshold for the number of positive results can be adjusted by changing the threshold value of the playbook's input.
![Cortex XDR - First SSO Access - Setting a verdict workflow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-295020-4.png)
Cortex XDR - First SSO Access - Setting a verdict workflow

**Verdict Resolution**

If the verdict is determined to be non-malicious, the incident will be considered a false positive and subsequently closed. If the verdict is determined to be suspicious, it will require manual intervention by an analyst. Additionally, there is an option to automatically request confirmation from the user's manager regarding any suspicious activities, such as verifying if it's reasonable for the user to connect from a specific country. The manager's confirmation can aid the analyst in determining whether the incident is a true or false positive.

If the verdict is determined to be malicious, the next stage will involve performing response actions.
![Cortex XDR - First SSO Access - getting a verdict confirmation](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-295020-5.png)
Cortex XDR - First SSO Access - getting a verdict confirmation

**Response Actions**

When the final verdict is determined to be malicious, the playbook will initiate the following automated or semi-automated response procedures:

* Block the compromised account using the "[Block Account - Generic v2](https://xsoar.pan.dev/docs/reference/playbooks/block-account---generic-v2)" sub-playbook
* Manually reset the account password.
* Isolate endpoints using Cortex XDR - If there is a Cortex XDR Agent on the endpoint
* Manually isolate the impacted endpoint.

![Response section of the workflow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-295020-6.png)
Response section of the workflow

### **The Layout**

The layout created for this alert provides detailed incident views to aid analysts in furthering their investigation. The layout tab contains the following useful information:

* Alert details
* Containment status
* Account information
* Connection information including country and ASN of login
* Investigation details including XDR related alerts
* Account information
* Containment status
* Verdict results parameters - include the final verdict and the outcomes of all checks conducted to set the verdict

![Incident Layout for First SSO Access Alert](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-295020-7.png)
Incident Layout for First SSO Access Alert

### **Conclusion**

It is essential to monitor and respond to UEBA alerts in your organization. Using the [Cortex XDR - First SSO Access](https://xsoar.pan.dev/docs/reference/playbooks/cortex-xdr---first-sso-access) playbook decreases the response time and improves the effectiveness of security operations for these use cases. This playbook is part of the Cortex XDR content pack.

### **Learn More**

To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided [XSOAR Product Tour](https://www.paloaltonetworks.com/resources/infographics/xsoar-product-tour)

We also host virtual and in-person events, so check [here](https://www.paloaltonetworks.com/resources/cortex-events) for upcoming ones.

*** ** * ** ***

## Related Blogs

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the week: Streamlining SOC Communications](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-streamlining-soc-communications/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Automating SecOps Ticketing](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-secops-ticketing/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Using ChatGPT in Cortex XSOAR](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/using-chatgpt-in-cortex-xsoar/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Automate Anything with the Default Playbook](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automate-anything-with-the-default-playbook/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the week: Responding to RDP Brute Force Attacks](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-responding-to-rdp-brute-force-attacks/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Playbook of the Week: Automating Password Resets with Chatbot](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-password-resets-with-chatbot/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language