Contact sales
Details

This incident response workflow consumes one or more users (user or process_username) and attempts to force a logout from endpoints running windows, mac or linux. It requires Cisco Orbital This workflow is intended for use in a playbook during the containment stage.

Description

This incident response workflow consumes one or more users (user or process_username) and attempts to force a logout from endpoints running windows, mac or linux.

This workflow is intended for use in a playbook during the containment stage.

Upon execution, the analyst receives notification (prompt task) to select whether the logout attempt should be executed on the endpoints involved in the incident or on all endpoints where users are currently logged in.

The workflow will also attempt to confirm whether the logout was successful.

Targets

This workflow requires Cisco Orbital integrated in Cisco XDR (Module) and active on Endpoints

Workflow Steps

Structure :

  • Create Task Prompt and wait for Analyst answer

  • For Each User (user or process_username)

    • If prompt answer = "Endpoints Involved in the Incident Only" :

      • Extract target endpoints from incident, store hostnames in "Host Table" with type "none" and Format "Host List"
      • With "Host list", Check via Orbital Query if user Logged in
      • If Query Failed with error "no result for job" : Update workflow output (no endpoint connected) and workflow completed
      • If Query Success : Update host table with result for each endpoint connected (type = "Logged In" or "Not Logged In"")
      • For Each host in "Host Table" - Force Logout Step
        • If "User Logged In" : Force Logout via Orbital Script
          • If Script status success True : Update workflow output (Request sent)
          • If Script status success False : Update workflow output (Orbital Error)
        • If "User Not Logged In" : Update workflow output (User not currently logged in)
        • If "None" (endpoint not connected) : Update workflow output (Endpoint not connected)
      • For Each Hostname in "Host Table" - Confirm Logout Step
        • If "User Logged In" : Check via Orbital Query if user Logged in
          • If row count = 0 : Update workflow output (Logout confirmed)
          • If row count > 0 : Update workflow output (User still logged in)

    • If Prompt answer = "All endpoints where users are currently logged in"

      • Search on All Endpoints via Orbital Query to find where user is currently Logged in
      • If Query Failed with error "no result for job" : Update workflow output (no endpoint connected) and workflow completed
      • If Query success :
        • For Each result, get row count
          If row count > 0 : Add hostname to host table
      • If row in host table = 0
        • Update workflow output (No Endpoint found)
      • If row in host table > 0
        • For Each Host in Host Table - Force Logout Step
          • Force Logout via Orbital Script
            • If Script status success True : Update workflow output (request sent)
            • If Script status success False : Update workflow output (Orbital Error)
        • For Each Hostname in "Host Table" - Confirm Logout Step
          • Check via Orbital Query if user Logged in
            • If row count = 0 update workflow output (logout confirmed)
            • If row count > 0 update workflow output (User still logged in)
Required targets

This workflow requires the following targets to be available before it can be run.

Integration targets

  • Orbital
  • Cisco XDR
About
Author
Ivan Berlinson
Version
v1.0
Intent
Incident Response
Integration
Average rating
5.0 out of 5
Authorship
Community
Contact and support information
ivberlin@cisco.com
External links

Content Licensing

Developer Community

Related workflows
Logo for Orbital
Cisco Orbital - Execute Query for Incident Assets
Cisco Managed
This workflow works with an incident automation rule or playbook task to execute an Orbital query on an XDR incident's assets.
Incident Response
Learn more
Logo for Orbital
Cisco Orbital - Execute Query for Selected Assets
Cisco Managed
This workflow works with an incident response playbook to execute an Orbital query on user-selected assets from an XDR incident.
Incident Response
Learn more
Logo for Orbital
Cisco Orbital - Execute Script for Incident Assets
Cisco Managed
This workflow works with an incident automation rule or playbook task to execute an Orbital script on an XDR incident's assets.
Incident Response
Learn more
Logo for Orbital
Cisco Orbital - Execute Script for Selected Assets
Cisco Managed
This workflow works with an incident response playbook to execute an Orbital script on user-selected assets from an XDR incident.
Incident Response
Learn more
Logo for Orbital
Cisco Orbital - Incident Response - Disable Local User Account
Community
This incident response workflow consumes one or more users (user or process_username) and attempts to disable the local account on endpoints running windows, mac or linux.
Incident Response
Learn more
Logo for Orbital
Cisco Orbital - Incident Response - Force User Logout
Community
This incident response workflow consumes one or more users (user or process_username) and attempts to force a logout from endpoints running windows, mac or linux.
Incident Response
Learn more
Logo for Orbital
Cisco Orbital - Incident Response - Re-enable Local User
Community
This incident response workflow consumes one or more users (user or process_username) and attempts to re-enable the local account on endpoints running windows, mac or linux This workflow is intended for use in a playbook during the recovery stage.
Incident Response
Learn more
Logo for Orbital
Cisco Orbital - Take Forensic Snapshot (Linux)
Cisco Managed
This workflow initiates a Cisco Orbital forensic snapshot for the endpoint identified by the provided observable.
Pivot Menu
Learn more