Get User Devices by Username - Generic
This Playbook is part of the Common Playbooks Pack.#
Supported versions
Available on Cortex XSOAR (versions 6.8.0 and later) and Cortex XSIAM.
This playbook retrieves information on all of the associated user devices, based on the user's username.
In order to get a generic output, the following information on all of the retrieved devices will be saved under the UserDevices context key:
- Name
- Serial Number
- ID
- Model
- MAC Address
- OS
- Integration
Note that not all of the supported integrations will be able to retrieve this information.
Supported integrations:
- jamf v2
- Microsoft Defender for Endpoint
- Cortex XDR IR
- ServiceNow v2
- Google Workspace (Gsuite)
- Active Directory Query v2.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
This playbook does not use any sub-playbooks.
Integrations#
- ServiceNow v2
- Cortex XDR - IR
- jamf v2
- Microsoft Defender Advanced Threat Protection
Scripts#
- SetAndHandleEmpty
- SetMultipleValues
- IsIntegrationAvailable
Commands#
- gsuite-mobiledevice-list
- jamf-get-mobile-device-by-match
- ad-get-user
- microsoft-atp-get-user-machines
- servicenow-query-computers
- core-get-endpoints
- jamf-get-mobile-device-by-id
- servicenow-query-users
- jamf-get-computer-by-match
- xdr-get-endpoints
- jamf-get-computer-by-id
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| Username | The username of the user. | Optional | |
| GsuiteCustomerID | If using Google Workspace, a customer ID is needed. | Optional | |
| CustomADAttribute | A custom Active Directory attribute. In case there is a custom attribute in Active Directory which stores the name of the computer assigned to the user in the user object, it would be fetched. | Optional |
Playbook Outputs#
| Path | Description | Type |
|---|---|---|
| GSuite.MobileDevices | Gsuite mobile devices. | unknown |
| GSuite.MobileDevices.MobileListObjects | A list of mobile device objects. | unknown |
| GSuite.MobileDevices.MobileListObjects.kind | The type of the API resource. | unknown |
| GSuite.MobileDevices.MobileListObjects.etag | ETag of the resource. | unknown |
| GSuite.MobileDevices.MobileListObjects.resourceId | The unique ID the API service uses to identify the mobile device. | unknown |
| GSuite.MobileDevices.MobileListObjects.deviceId | The serial number for a Google Sync mobile device. For Android and iOS devices, this is a software-generated unique identifier. | unknown |
| GSuite.MobileDevices.MobileListObjects.name | A list of the owner's usernames. | unknown |
| GSuite.MobileDevices.MobileListObjects.email | A list of the owner's email addresses. | unknown |
| GSuite.MobileDevices.MobileListObjects.model | The mobile device's model name. | unknown |
| GSuite.MobileDevices.MobileListObjects.os | The mobile device's operating system. | unknown |
| GSuite.MobileDevices.MobileListObjects.type | The type of mobile device. | unknown |
| GSuite.MobileDevices.MobileListObjects.status | The mobile device's status. | unknown |
| GSuite.MobileDevices.MobileListObjects.hardwareId | The IMEI/MEID unique identifier for Android hardware. | unknown |
| GSuite.MobileDevices.MobileListObjects.firstSync | The date and time the mobile device was initially synchronized with the policy settings in the Admin console. | unknown |
| GSuite.MobileDevices.MobileListObjects.lastSync | The date and time the mobile device was last synchronized with the policy settings in the Admin console. | unknown |
| GSuite.MobileDevices.MobileListObjects.userAgent | Information about the mobile device such as the operating system version. | unknown |
| GSuite.MobileDevices.MobileListObjects.serialNumber | The mobile device's serial number. | unknown |
| GSuite.MobileDevices.MobileListObjects.imei | The mobile device's IMEI number. | unknown |
| GSuite.MobileDevices.MobileListObjects.meid | The mobile device's MEID number. | unknown |
| GSuite.MobileDevices.MobileListObjects.wifiMacAddress | The mobile device's MAC address on Wi-Fi networks. | unknown |
| GSuite.MobileDevices.MobileListObjects.networkOperator | Mobile device mobile or network operator. | unknown |
| GSuite.MobileDevices.MobileListObjects.defaultLanguage | The default locale used on the mobile device. | unknown |
| GSuite.MobileDevices.MobileListObjects.managedAccountIsOnOwnerProfile | Boolean indicating if this account is on the owner/primary profile. | unknown |
| GSuite.MobileDevices.MobileListObjects.deviceCompromisedStatus | The compromised device status. | unknown |
| GSuite.MobileDevices.MobileListObjects.buildNumber | The mobile device's operating system build number. | unknown |
| GSuite.MobileDevices.MobileListObjects.kernelVersion | The mobile device's kernel version. | unknown |
| GSuite.MobileDevices.MobileListObjects.basebandVersion | The mobile device's baseband version. | unknown |
| GSuite.MobileDevices.MobileListObjects.unknownSourcesStatus | Unknown sources enabled or disabled on the mobile device. | unknown |
| GSuite.MobileDevices.MobileListObjects.adbStatus | Whether adb (USB debugging) is enabled on the mobile device. | unknown |
| GSuite.MobileDevices.MobileListObjects.developerOptionsStatus | Whether developer options are enabled on the mobile device. | unknown |
| GSuite.MobileDevices.MobileListObjects.otherAccountsInfo | A list of accounts added on the device. | unknown |
| GSuite.MobileDevices.MobileListObjects.supportsWorkProfile | Work profile supported on the mobile device. | unknown |
| GSuite.MobileDevices.MobileListObjects.manufacturer | Mobile device manufacturer. | unknown |
| GSuite.MobileDevices.MobileListObjects.releaseVersion | Mobile device release version. | unknown |
| GSuite.MobileDevices.MobileListObjects.securityPatchLevel | Mobile device security patch level. | unknown |
| GSuite.MobileDevices.MobileListObjects.brand | Mobile device brand. | unknown |
| GSuite.MobileDevices.MobileListObjects.bootloaderVersion | Mobile device bootloader version. | unknown |
| GSuite.MobileDevices.MobileListObjects.hardware | Mobile device hardware. | unknown |
| GSuite.MobileDevices.MobileListObjects.encryptionStatus | Mobile device encryption status. | unknown |
| GSuite.MobileDevices.MobileListObjects.devicePasswordStatus | Mobile device password status. | unknown |
| GSuite.MobileDevices.MobileListObjects.privilege | DM agent permission. | unknown |
| GSuite.MobileDevices.MobileListObjects.applications | Mobile device applications. | unknown |
| GSuite.MobileDevices.MobileListObjects.applications.packageName | The application's package name. | unknown |
| GSuite.MobileDevices.MobileListObjects.applications.displayName | The application's display name. | unknown |
| GSuite.MobileDevices.MobileListObjects.applications.versionName | The application's version name. | unknown |
| GSuite.MobileDevices.MobileListObjects.applications.versionCode | The application's version code. | unknown |
| GSuite.MobileDevices.MobileListObjects.applications.permission | The list of permissions of this application. | unknown |
| JAMF.Computer | Computer object. | unknown |
| JAMF.Computer.id | The computer ID. | unknown |
| JAMF.Computer.name | The computer name. | unknown |
| JAMF.Computer.udid | The computer UDID. | unknown |
| JAMF.Computer.serial_number | The computer serial number. | unknown |
| JAMF.Computer.mac_address | The computer MAC address. | unknown |
| JAMF.Computer.alt_mac_address | The computer alt MAC address. | unknown |
| JAMF.Computer.asset_tag | The computer asset tag. | unknown |
| JAMF.Computer.bar_code_1 | The computer barcode 1. | unknown |
| JAMF.Computer.bar_code_2 | The computer barcode 2. | unknown |
| JAMF.Computer.username | The computer username. | unknown |
| JAMF.Computer.realname | The computer real name. | unknown |
| JAMF.Computer.email | The computer email address. | unknown |
| JAMF.Computer.email_address | The computer email address. | unknown |
| JAMF.Computer.room | The computer room. | unknown |
| JAMF.Computer.position | The computer position. | unknown |
| JAMF.Computer.building | The computer building. | unknown |
| JAMF.Computer.building_name | The computer building name. | unknown |
| JAMF.Computer.department | The computer department. | unknown |
| JAMF.Computer.department_name | The computer department name. | unknown |
| JAMF.MobileDevice | Mobile device object. | unknown |
| JAMF.MobileDevice.id | The mobile device ID. | unknown |
| JAMF.MobileDevice.name | The mobile device name. | unknown |
| JAMF.MobileDevice.udid | The mobile device UDID. | unknown |
| JAMF.MobileDevice.serial_number | The mobile device serial number. | unknown |
| JAMF.MobileDevice.mac_address | The mobile device MAC address. | unknown |
| JAMF.MobileDevice.wifi_mac_address | The mobile device WI-FI MAC address. | unknown |
| JAMF.MobileDevice.username | The mobile device username. | unknown |
| JAMF.MobileDevice.realname | The mobile device real name. | unknown |
| JAMF.MobileDevice.email | The mobile device user email address. | unknown |
| JAMF.MobileDevice.email_address | The mobile device user email address. | unknown |
| JAMF.MobileDevice.room | The mobile device room. | unknown |
| JAMF.MobileDevice.position | The mobile device position. | unknown |
| JAMF.MobileDevice.building | The mobile device building. | unknown |
| JAMF.MobileDevice.building_name | The mobile device building name. | unknown |
| JAMF.MobileDevice.department | The mobile device department. | unknown |
| JAMF.MobileDevice.department_name | The mobile device department name. | unknown |
| PaloAltoNetworksXDR.Endpoint.endpoint_id | The endpoint ID. | unknown |
| PaloAltoNetworksXDR.Endpoint.endpoint_name | The endpoint name. | unknown |
| PaloAltoNetworksXDR.Endpoint.endpoint_type | The endpoint type. | unknown |
| PaloAltoNetworksXDR.Endpoint.endpoint_status | The status of the endpoint. | unknown |
| PaloAltoNetworksXDR.Endpoint.os_type | The endpoint OS type. | unknown |
| PaloAltoNetworksXDR.Endpoint.ip | A list of IP addresses. | unknown |
| PaloAltoNetworksXDR.Endpoint.users | A list of users. | unknown |
| PaloAltoNetworksXDR.Endpoint.domain | The endpoint domain. | unknown |
| PaloAltoNetworksXDR.Endpoint.alias | The endpoint's aliases. | unknown |
| PaloAltoNetworksXDR.Endpoint.first_seen | First seen date/time in Epoch (milliseconds). | unknown |
| PaloAltoNetworksXDR.Endpoint.last_seen | Last seen date/time in Epoch (milliseconds). | unknown |
| PaloAltoNetworksXDR.Endpoint.content_version | Content version. | unknown |
| PaloAltoNetworksXDR.Endpoint.installation_package | Installation package. | unknown |
| PaloAltoNetworksXDR.Endpoint.active_directory | Active directory. | unknown |
| PaloAltoNetworksXDR.Endpoint.install_date | Install date in Epoch (milliseconds). | unknown |
| PaloAltoNetworksXDR.Endpoint.endpoint_version | Endpoint version. | unknown |
| PaloAltoNetworksXDR.Endpoint.is_isolated | Whether the endpoint is isolated. | unknown |
| PaloAltoNetworksXDR.Endpoint.group_name | The name of the group to which the endpoint belongs. | unknown |
| PaloAltoNetworksXDR.Endpoint.count | Number of endpoints returned. | unknown |
| Endpoint.Hostname | The hostname that is mapped to this endpoint. | unknown |
| Endpoint.ID | The unique ID within the tool retrieving the endpoint. | unknown |
| Endpoint.IPAddress | The IP address of the endpoint. | unknown |
| Endpoint.Domain | The domain of the endpoint. | unknown |
| Endpoint.OS | The endpoint's operation system. | unknown |
| Endpoint.Status | The endpoint's status. | unknown |
| Endpoint.IsIsolated | The endpoint's isolation status. | unknown |
| Endpoint.MACAddress | The endpoint's MAC address. | unknown |
| Endpoint.Vendor | The integration name of the endpoint vendor. | unknown |
| MicrosoftATP.UserMachine.Username | The username. | unknown |
| MicrosoftATP.UserMachine.Machines.ID | The machine ID. | unknown |
| MicrosoftATP.UserMachine.Machines.ComputerDNSName | The machine DNS name. | unknown |
| MicrosoftATP.UserMachine.Machines.FirstSeen | The first date and time the machine was observed by Microsoft Defender ATP. | unknown |
| MicrosoftATP.UserMachine.Machines.LastSeen | The last date and time the machine was observed by Microsoft Defender ATP. | unknown |
| MicrosoftATP.UserMachine.Machines.OSPlatform | The operating system platform. | unknown |
| MicrosoftATP.UserMachine.Machines.OSVersion | The operating system version. | unknown |
| MicrosoftATP.UserMachine.Machines.OSProcessor | The operating system processor. | unknown |
| MicrosoftATP.UserMachine.Machines.LastExternalIPAddress | The last IP through which the machine accessed the internet. | unknown |
| MicrosoftATP.UserMachine.Machines.OSBuild | The operating system build number. | unknown |
| MicrosoftATP.UserMachine.Machines.HealthStatus | The machine health status. | unknown |
| MicrosoftATP.UserMachine.Machines.RBACGroupID | The machine RBAC group ID. | unknown |
| MicrosoftATP.UserMachine.Machines.RBACGroupName | The machine RBAC group name. | unknown |
| MicrosoftATP.UserMachine.Machines.RiskScore | The machine risk score. | unknown |
| MicrosoftATP.UserMachine.Machines.ExposureLevel | The machine exposure level. | unknown |
| MicrosoftATP.UserMachine.Machines.IsAADJoined | True if machine is AAD joined, False otherwise. | unknown |
| MicrosoftATP.UserMachine.Machines.AADDeviceID | The AAD device ID. | unknown |
| MicrosoftATP.UserMachine.Machines.MachineTags | Set of machine tags. | unknown |
| MicrosoftATP.v.Machines.LastIPAddress | The last IP on the machine. | unknown |
| ServiceNow.Computer.ID | Computer system ID. | unknown |
| ServiceNow.Computer.AssetTag | Computer asset tag. | unknown |
| ServiceNow.Computer.Name | Computer name. | unknown |
| ServiceNow.Computer.DisplayName | Computer display name. | unknown |
| ServiceNow.Computer.SupportGroup | Computer support group. | unknown |
| ServiceNow.Computer.OperatingSystem | Computer operating system. | unknown |
| ServiceNow.Computer.Company | Computer company system ID. | unknown |
| ServiceNow.Computer.AssignedTo | Computer assigned to user system ID. | unknown |
| ServiceNow.Computer.State | Computer state. | unknown |
| ServiceNow.Computer.Cost | Computer cost. | unknown |
| ServiceNow.Computer.Comments | Computer comments. | unknown |
| UserDevices | Devices retrieved by this playbook. | unknown |
| UserDevices.Name | Devices names retrieved by this playbook. | unknown |
| UserDevices.SerialNumber | Devices serial numbers retrieved by this playbook. | unknown |
| UserDevices.ID | Devices IDs retrieved by this playbook. | unknown |
| UserDevices.Model | Devices models retrieved by this playbook. | unknown |
| UserDevices.OS | Devices operating systems retrieved by this playbook. | unknown |
| UserDevices.Integration | The integration which retrieved the devices. | unknown |
| UserDevices.MACAddress | Devices MAC address retrieved by this playbook. | unknown |
Playbook Image#
