Skip to main content

Brute Force Investigation - Generic

This Playbook is part of the Brute Force Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook investigates a "Brute Force" incident by gathering user and IP information, calculating the incident severity based on the gathered information and information received from the user, and performs remediation.

The playbook handles the following use-cases:

  • Brute Force IP Detected - A detection of source IPs that are exceeding a high threshold of rejected and/or invalid logins.
  • Brute Force Increase Percentage - A detection of large increase percentages in various brute force statistics over different periods of time.
  • Brute Force Potentially Compromised Accounts - A detection of accounts that have shown high amount of failed logins with one successful login.

Used Sub-playbooks:

  • IP Enrichment - Generic v2
  • Account Enrichment - Generic v2.1
  • Calculate Severity - Critical Assets v2
  • Isolate Endpoint - Generic v2
  • Block Indicators - Generic v3

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • IP Enrichment - Generic v2
  • Isolate Endpoint - Generic V2
  • Account Enrichment - Generic v2.1
  • Calculate Severity - Critical Assets v2
  • Block Indicators - Generic v3

Integrations#

This playbook does not use any integrations.

Scripts#

  • GenerateInvestigationSummaryReport

Commands#

  • closeInvestigation
  • ad-disable-account
  • send-mail
  • setIncident
  • ad-expire-password
  • ad-enable-account

Playbook Inputs#


NameDescriptionDefault ValueRequired
usernameUsername of the user who is suspected of the activity.incident.usernameRequired
srcSource endpoint that triggered the incident.incident.srcRequired
traps_endpoint_idTraps endpoint ID, used for endpoint isolation.incident.agentidOptional
logins_count_thresholdThe threshold for number of logins, from which the investigation and remediation will start automatically without waiting for the user"s reply. Default is 10.10Optional
severity_thresholdThe threshold for the severity value from which an automatic remediation takes place. Specify the severity number (default is Critical): 0 - Unknown, 0.5 - Informational. 1 - Low, 2 - Medium, 3 - High, 4 - Critical4Optional
internal_rangeA list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: '172.16.0.0/12,10.0.0.0/8,192.168.0.0/16' (without quotes).lists.PrivateIPsOptional
critical_usersCritical users, separated by comma.Optional
critical_endpointsCritical endpoints, separated by comma.Optional
critical_groupsCritical groups, separated by comma.Optional
CustomBlockRuleThis input determines whether Palo Alto Networks Panorama or Firewall Custom Block Rules are used.
Specify True to use Custom Block Rules.
TrueOptional
AutoCommitThis input determines whether Palo Alto Networks Panorama or Firewall Static Address Groups are used.
Specify the Static Address Group name for IP handling.
NoOptional
DAGThis input determines whether Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used.
Specify the Dynamic Address Group tag name for IP handling.
Optional
StaticAddressGroupThis input determines whether Palo Alto Networks Panorama or Firewall Static Address Groups are used.
Specify the Static Address Group name for IP handling.
Optional
CustomURLCategoryCustom URL Category name.XSOAR Remediation - Malicious URLsOptional
typeCustom URL category type. Insert "URL List"/ "Category Match".Optional
device-groupDevice group for the Custom URL Category (Panorama instances).Optional
categoriesThe list of categories. Relevant from PAN-OS v9.x.Optional
EDLServerIPThis input determines whether Palo Alto Networks Panorama or Firewall External Dynamic Lists are used:
* The IP address of the web server on which the files are stored.
* The web server IP address is configured in the integration instance.
Optional
UserVerificationPossible values: True/False.
Whether to provide user verification for blocking IPs.

False - No prompt will be displayed to the user.
True - The server will ask the user for blocking verification and will display the blocking list.
FalseOptional
AutoBlockIndicatorsPossible values: True/False. Default: True.
Should the given indicators be automatically blocked, or should the user be given the option to choose?

If set to False - no prompt will appear, and all provided indicators will be blocked automatically.
If set to True - the user will be prompted to select which indicators to block.
TrueOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Brute Force Investigation - Generic