id: Recorded Future Leaked Credential Alert Handling version: -1 name: Recorded Future Leaked Credential Alert Handling description: "" starttaskid: "0" tasks: "0": id: "0" taskid: 9bb8e2cb-f516-4211-8d30-c68e96e56cba type: start task: id: 9bb8e2cb-f516-4211-8d30-c68e96e56cba version: -1 name: "" description: "" iscommand: false brand: "" nexttasks: '#none#': - "1" separatecontext: false view: |- { "position": { "x": 450, "y": 50 } } note: false timertriggers: [ ] ignoreworker: false skipunavailable: false quietmode: 0 isoversize: false isautoswitchedtoquietmode: false "1": id: "1" taskid: 6ef8e5c6-a6d8-40cc-8a47-0e015574bcbe type: playbook task: id: 6ef8e5c6-a6d8-40cc-8a47-0e015574bcbe version: -1 name: Account Enrichment - Generic v2.1 description: |- Enrich accounts using one or more integrations. Supported integrations: - Active Directory - SailPoint IdentityNow - SailPoint IdentityIQ - PingOne - Okta - AWS IAM Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations. For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations. playbookName: Account Enrichment - Generic v2.1 type: playbook iscommand: false brand: "" nexttasks: '#none#': - "2" scriptarguments: Username: simple: ${inputs.account} separatecontext: true loop: iscommand: false exitCondition: "" wait: 1 max: 100 view: |- { "position": { "x": 450, "y": 180 } } note: false timertriggers: [ ] ignoreworker: false skipunavailable: false quietmode: 0 isoversize: false isautoswitchedtoquietmode: false "2": id: "2" taskid: 0446baef-f96d-4e57-8313-86a7da5e6932 type: condition task: id: 0446baef-f96d-4e57-8313-86a7da5e6932 version: -1 name: Is the user account active? description: "" type: condition iscommand: false brand: "" nexttasks: '#default#': - "11" "YES": - "3" separatecontext: false view: |- { "position": { "x": 450, "y": 340 } } note: false timertriggers: [ ] ignoreworker: false skipunavailable: false quietmode: 0 isoversize: false isautoswitchedtoquietmode: false "3": id: "3" taskid: 058b225b-c150-4fe1-82d5-72745147fcb7 type: regular task: id: 058b225b-c150-4fe1-82d5-72745147fcb7 version: -1 name: Query SIEM for suspicious behavior, logins, and location description: "" type: regular iscommand: false brand: "" nexttasks: '#none#': - "5" separatecontext: false view: |- { "position": { "x": 710, "y": 530 } } note: false timertriggers: [ ] ignoreworker: false skipunavailable: false quietmode: 0 isoversize: false isautoswitchedtoquietmode: false "5": id: "5" taskid: bcfa60cc-c41f-4231-8177-2d595fa78433 type: regular task: id: bcfa60cc-c41f-4231-8177-2d595fa78433 version: -1 name: Notify user description: "" type: regular iscommand: false brand: "" nexttasks: '#none#': - "8" separatecontext: false view: |- { "position": { "x": 710, "y": 705 } } note: false timertriggers: [ ] ignoreworker: false skipunavailable: false quietmode: 0 isoversize: false isautoswitchedtoquietmode: false "6": id: "6" taskid: a85bd591-178b-4e15-8dac-2cac53771955 type: regular task: id: a85bd591-178b-4e15-8dac-2cac53771955 version: -1 name: Expire password description: "" type: regular iscommand: false brand: "" nexttasks: '#none#': - "10" separatecontext: false view: |- { "position": { "x": 880, "y": 1250 } } note: false timertriggers: [ ] ignoreworker: false skipunavailable: false quietmode: 0 isoversize: false isautoswitchedtoquietmode: false "8": id: "8" taskid: 6bf1fb31-b094-4970-843e-734b9be9c39c type: condition task: id: 6bf1fb31-b094-4970-843e-734b9be9c39c version: -1 name: Verify activity description: "" type: condition iscommand: false brand: "" nexttasks: '#default#': - "9" "YES": - "11" separatecontext: false view: |- { "position": { "x": 710, "y": 875 } } note: false timertriggers: [ ] ignoreworker: false skipunavailable: false quietmode: 0 isoversize: false isautoswitchedtoquietmode: false "9": id: "9" taskid: 59020c1c-d3ba-498a-817f-6198431031e7 type: regular task: id: 59020c1c-d3ba-498a-817f-6198431031e7 version: -1 name: | Disable account description: "" type: regular iscommand: false brand: "" nexttasks: '#none#': - "6" separatecontext: false view: |- { "position": { "x": 880, "y": 1090 } } note: false timertriggers: [ ] ignoreworker: false skipunavailable: false quietmode: 0 isoversize: false isautoswitchedtoquietmode: false "10": id: "10" taskid: 55b731a0-a7f4-4574-829b-dbe9f501747d type: regular task: id: 55b731a0-a7f4-4574-829b-dbe9f501747d version: -1 name: Enable account description: "" type: regular iscommand: false brand: "" nexttasks: '#none#': - "11" separatecontext: false view: |- { "position": { "x": 880, "y": 1420 } } note: false timertriggers: [ ] ignoreworker: false skipunavailable: false quietmode: 0 isoversize: false isautoswitchedtoquietmode: false "11": id: "11" taskid: 1a60c3f7-e6a5-49ae-8d1c-37ff545bc7bc type: title task: id: 1a60c3f7-e6a5-49ae-8d1c-37ff545bc7bc version: -1 name: Done description: "" type: title iscommand: false brand: "" separatecontext: false view: |- { "position": { "x": 360, "y": 1680 } } note: false timertriggers: [ ] ignoreworker: false skipunavailable: false quietmode: 0 isoversize: false isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": { "2_11_#default#": 0.54, "8_11_YES": 0.13 }, "paper": { "dimensions": { "height": 1695, "width": 900, "x": 360, "y": 50 } } } inputs: - key: account value: complex: root: incident.recordedfuturealertentities accessor: name required: false description: "" playbookInputQuery: null outputs: [ ] tests: - No tests fromversion: 6.5.0