Cisco Orbital - Incident Response - Re-enable Local User

This incident response workflow consumes one or more users (user or process_username) and attempts to re-enable the local account on endpoints running windows, mac or linux This workflow is intended for use in a playbook during the recovery stage.

Description

This incident response workflow consumes one or more users (user or process_username) and attempts to re-enable the local account on endpoints running windows, mac or linux

This workflow is intended for use in a playbook during the recovery stage.

Upon execution, the analyst receives notification (prompt task) to select whether the attempt to re-enable a local account should be executed on the endpoints involved in the incident or on all endpoints for which users exist in the local account database.

The workflow will also attempt to confirm whether the Enable request was successful

Targets

This workflow requires Cisco Orbital integrated in Cisco XDR (Module) and active on Endpoints

Workflow Steps

Structure :

Create Task Prompt and wait for Analyst answer
For Each User (user or process_username)
- If prompt answer = "Endpoints Involved in the Incident Only" :
  - Extract target endpoints from incident, store hostnames in "Host Table" with type "none" and Format "Host List"
  - With "Host list", Check via Orbital Query if user exists on endpoints (user account monitoring)
  - If Query Failed with error "no result for job" : Update workflow output (no endpoint connected) and workflow completed
  - If Query Success : Update host table with result for each endpoint connected (type = "Exists" or "Not Exists"")
  - For Each host in "Host Table" - Re-Enable Account
    - If "Exists" : Request to enable account via Orbital Script (windows : powershell Enable-LocalUser, Linux : Usermod -U, Mac : pwpolicy -u)
      - If Script status success True : Update workflow output (Request sent)
      - If Script status success False : Update workflow output (Orbital Error)
    - If "Not Exists" : Update workflow output (User does not exist)
    - If "None" (endpoint not connected) : Update workflow output (Endpoint not connected)
  - For Each Hostname in "Host Table" - Confirm Account Re-Enabled
    - If "Exists" : Check via Orbital Script user account status (windows : powershell Get-LocalUser, Linux : passwd -S, Mac : pwpolicy -getpolicy -u)
      - If user account enable (match regex) : Update workflow output (confirmed)
- If Prompt answer = "Endpoints Involved in the Incident Only"
  - Search on All Endpoints via Orbital Query to find where user exists on endpoints (user account monitoring)
  - If Query Failed with error "no result for job" : Update workflow output (no endpoint connected) and workflow completed
  - If Query success :
    - For Each result, get row count
      If row count > 0 : Add hostname to host table
  - If row in host table = 0
    - Update workflow output (No Endpoint found)
  - If row in host table > 0
    - For Each host in "Host Table" - Re-Enable Account
      - Request to re-enable account via Orbital Script (windows : powershell Enable-LocalUser, Linux : Usermod -U, Mac : pwpolicy -u)
        
        If Script status success True : Update workflow output (request sent)
        
        If Script status success False : Update workflow output (Orbital Error)
    - For Each Hostname in "Host Table" - Confirm Account Enabled
      - Check via Orbital Script user account status (windows : powershell Get-LocalUser, Linux : passwd -S, Mac : pwpolicy -getpolicy -u)
        
        If user account enable (match regex) : Update workflow output (confirmed)

This workflow requires the following targets to be available before it can be run.

Integration targets

Orbital
Cisco XDR

Author

Ivan Berlinson

Version

v1.0

Intent

Incident Response

Integration

Orbital

Average rating

No ratings yet

Authorship

Community

ivberlin@cisco.com

Content Licensing

Developer Community

Cisco Managed

This workflow works with an incident automation rule or playbook task to execute an Orbital query on an XDR incident's assets.

Cisco Managed

This workflow works with an incident response playbook to execute an Orbital query on user-selected assets from an XDR incident.

Cisco Managed

This workflow works with an incident automation rule or playbook task to execute an Orbital script on an XDR incident's assets.

Cisco Managed

This workflow works with an incident response playbook to execute an Orbital script on user-selected assets from an XDR incident.

Community

This incident response workflow consumes one or more users (user or process_username) and attempts to disable the local account on endpoints running windows, mac or linux.

Community

This incident response workflow consumes one or more users (user or process_username) and attempts to force a logout from endpoints running windows, mac or linux.

Community

Cisco Managed

This workflow initiates a Cisco Orbital forensic snapshot for the endpoint identified by the provided observable.