The "Investigation. Triggered rules with the same account" predefined playbook allows you to identify other correlation rules that were triggered for the same account within a specified time window around the current alert. It queries KUMA for rules where the same user name appears in the SourceUserName or DestinationUserName fields and adds a summary comment to the alert, helping to assess whether the account is involved in broader malicious activity.
Before using the playbook, you must download the scripts and dependencies list, which are required for playbook to work correctly.
.OriginalEvents | map(select(.Type == 3)) | map(.ExternalID) - ["R050_01", "R050_04", "R050_05", "R050_07", "R058_03", "R061_01", "R061_03", "R061_05", "R062_01", "R062_03", "R063_01", "R063_03", "R076_05", "R082_01", "R082_02", "R082_09", "R082_12", "R083_01", "R083_03", "R083_05", "R083_07", "R083_09", "R083_10", "R083_13", "R084_01", "R084_02", "R084_04", "R087_04", "R089_05", "R089_07", "R093_03", "R093_14", "R093_18", "R093_31", "R098_01", "R098_02", "R099_01", "R099_02", "R099_03", "R099_04", "R099_05", "R099_07", "R100_01", "R100_03", "R101_01", "R101_03", "R102_02", "R103_02", "R104_01", "R105_01", "R105_02", "R105_03", "R106_02", "R107_02", "R107_03", "R107_04", "R108_02", "R109_02", "R110_04", "R110_05", "R110_06", "R110_07", "R111", "R150_01", "R150_02", "R151", "R152_01", "R152_02", "R152_03", "R152_04", "R152_05", "R152_06", "R152_07", "R152_09", "R152_10", "R152_11", "R152_12", "R152_13", "R154_03", "R154_06", "R154_09", "R211_01", "R220_02", "R220_04", "R220_05", "R220_06", "R221_01", "R221_04", "R222_02", "R222_03", "R222_04", "R223_02", "R223_03", "R224_02", "R224_03", "R224_08", "R224_12", "R224_13", "R224_14", "R224_17", "R224_18", "R224_19", "R224_20", "R224_21", "R225_03", "R225_05", "R226_02", "R226_03", "R227_02", "R228_01", "R228_02", "R229_01", "R230_02", "R231_02", "R231_03", "R231_04", "R232", "R233_01", "R233_04", "R240_01", "R240_02", "R240_05", "R250", "R270", "R280_01", "R280_02", "R280_03", "R280_04", "R282_01", "R282_02", "R283_01", "R283_02", "R283_03", "R285_01", "R285_02", "R286_02", "R287_01", "R287_02", "R288_01", "R288_02", "R288_03", "R289_02", "R290_01", "R290_02", "R290_03", "R290_04", "R290_05", "R290_06", "R290_07", "R290_08", "R290_09", "R291_01", "R291_02", "R291_03", "R291_04", "R291_05", "R291_06", "R292_01", "R292_02", "R293_01", "R293_02", "R293_03", "R293_04", "R294_01", "R294_03", "R294_04", "R295_01", "R295_02", "R296_01", "R296_02", "R296_03", "R296_04", "R296_05", "R296_06", "R296_07", "R296_08", "R296_09", "R296_10", "R296_11", "R296_12", "R296_13", "R296_14", "R296_15", "R296_16", "R296_17", "R296_18", "R296_19", "R296_22", "R297", "R298", "R299", "R300_01", "R300_02", "R300_03", "R300_04", "R301_01", "R301_02", "R302_01", "R302_03", "R320", "R321", "R330", "R350_02", "R350_04", "R350_07", "R410_03", "R411_01", "R412_01", "R414_01", "R415_01", "R418_02", "R419_01", "R419_02", "R419_03", "R419_04", "R422_01", "R423_02", "R423_03", "R427_01", "R427_04", "R432_02", "R436_02", "R438_01", "R438_02", "R441", "R442", "R050_06", "R058_04", "R061_10", "R082_03", "R082_04", "R082_13", "R083_06", "R083_12", "R089_08", "R099_08", "R152_08", "R209_05", "R211_02", "R224_06", "R224_07", "R224_10", "R224_15", "R231_05", "R231_06", "R231_07", "R231_08", "R231_10", "R282_03", "R286_01", "R286_03", "R286_04", "R286_05", "R302_04", "R302_05", "R302_06", "R405_01", "R405_02", "R405_04", "R412_02", "R413_01", "R416_01", "R418_01", "R422_02", "R423_01", "R427_02", "R429_01", "R430_01", "R433_01", "R433_02", "R433_03", "R433_04", "R433_06", "R434_01", "R434_02", "R434_03", "R434_04", "R435_05", "R436_01", "R436_03", "R443"] | length == 0
{
"dslSpecVersion": "1.1.0",
"version": "1",
"actionsSpecVersion": "1",
"input": "${ {\"workdir\": \"/opt/xdr_scripts\", \"timewindow\": \"86400\"} }",
"executionFlow": [
{
"decision": {
"conditions": [
{
"name": "SourceUserName is defined",
"condition": "${ [ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .SourceUserName != \"\" and .SourceUserName != \"-\" }",
"steps": [
{
"action": {
"function": {
"type": "executeCustomScript",
"params": {
"commandLine": "${ [ \"./kuma_events.py \" , \"rules_same_username \" , ( [ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .SourceUserName ) , \" \" , (alert.OriginalEvents[0] | .Timestamp | tostring) , \" \", (.timewindow) ] | add }",
"workingDirectory": "${ .workdir }",
"stdIn": ""
}
},
"output": {
"filter": "${ {rules_same_username: .} }",
"action": "merge"
},
"onError": "stop"
}
},
{
"action": {
"function": {
"type": "addCommentToAlert",
"params": {
"text": "${ \"Account \" + ( .rules_same_username.details.stdOut | fromjson | .[0] | .SourceUserName ) + \" was found in the following triggered correlation rules before and after 24h around the alert:\n\" + ([ .rules_same_username.details.stdOut | fromjson | .[] | \"──> \" + .Name ] | unique | join(\"\n\")) }"
}
},
"onError": "stop"
}
}
]
}
]
}
},
{
"decision": {
"conditions": [
{
"name": "DestinationUserName is defined and is not equal SourceUserName",
"condition": "${ [ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DestinationUserName != \"\" and .DestinationUserName != \"-\" and .DestinationUserName != .SourceUserName }",
"steps": [
{
"action": {
"function": {
"type": "executeCustomScript",
"params": {
"commandLine": "${ [ \"./kuma_events.py \" , \"rules_same_username \" , ( [ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DestinationUserName ) , \" \" , (alert.OriginalEvents[0] | .Timestamp | tostring) , \" \", (.timewindow) ] | add }",
"workingDirectory": "${ .workdir }",
"stdIn": ""
}
},
"output": {
"filter": "${ {rules_same_username: .} }",
"action": "merge"
},
"onError": "stop"
}
},
{
"action": {
"function": {
"type": "addCommentToAlert",
"params": {
"text": "${ \"Account \" + ( .rules_same_username.details.stdOut | fromjson | .[0] | .DestinationUserName ) + \" was found in the following triggered correlation rules before and after 24h around the alert:\n\" + ([ .rules_same_username.details.stdOut | fromjson | .[] | \"──> \" + .Name ] | unique | join(\"\n\")) }"
}
},
"onError": "stop"
}
}
]
}
]
}
}
]
}