Set up the Attempted Access Deactivated Account playbook

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • Use the following steps to set up the Attempted Access Deactivated Account playbook.

    Before you begin

    Role required:
    • sn_si.admin
    • flow_designer

    Make sure you have installed Security Operations Spoke (sn_sec_spoke).

    Procedure

    1. Login as a user with sn_si.user and flow_designer roles.
    2. Navigate to All > Flow Designer and select the Attempted Access Deactivated Account playbook.
    3. Optional: Create a copy of the Attempted Access Deactivated Account playbook flow and make the necessary modifications.

      To create a copy of the playbook's flow, select the More actions menu icon and select Copy flow. Perform this step only if you plan to customize or make specific changes to the flow.

      Figure 1. Attempted Access to Deactivated Accounts playbook
      Overview of the Attempted Access to Deactivated Accounts playbook.
    4. Activate the playbooks.
      1. Activate the main flow to use the playbook available in the base system.
      2. Activate the copied flows after making the required changes.
    5. Set a Trigger Condition for the playbook.

      This playbook is triggered when the security incident is created or updated based on your required conditions. For example, when Category is Insider Breach

      Figure 2. Attempted Access to Deactivated Accounts playbook trigger condition
      Trigger condition for Attempted Access to Deactivated Accounts playbook.