Skip to main content

Cortex XDR - Possible External RDP Brute-Force - Set Verdict

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

This playbook creating an array called "Suspicious Elements", which is used to count potential security threats. The following elements can be added to the array:

  • "IP Reputation" - Dbot Score is 2-3
  • "Source geolocation" - RDP Connection made from rare geo-location
  • Related to campaign - IP address is related to campaign, based on TIM module
  • Hunting results - the hunt for indicators related to the source IP and the related campaign returned results
  • XDR Alert search - XDR Alerts that related to the same username and endpoint, and to the MITRE tactics that comes after "Credential Access", were found.

The array will then be outputted and its size will be compared to a final threshold. If the size is greater than or equal to the threshold, the investigation's final verdict will be deemed a "True Positive."

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

This playbook does not use any integrations.

Scripts#

  • Set

Commands#

This playbook does not use any commands.

Playbook Inputs#


NameDescriptionDefault ValueRequired
RelatedAlertsNumber of XDR alerts that are related to the same user or endpoint.Optional
RelatedCampaignCampaign related to the external IP.Optional
HuntResultsDetermine whether hunting results exist. The input value should be true or false.Optional
UnusualGeoLocationdetermine whether the RDP connection has made RDP Connection made from rare geo-location. the input value should be true or false.Optional
IpReputationThe external IP reputation.Optional
XDRRiskyUserUsernames of users that were found as risky by Cortex XDR.PaloAltoNetworksXDR.RiskyUser.idOptional
XDRRiskyHostHostnames that were found as risky by Cortex XDR.PaloAltoNetworksXDR.RiskyHost.idOptional

Playbook Outputs#


PathDescriptionType
Suspicious_ElementsArray that contains all the suspicious elements.unknown

Playbook Image#


Cortex XDR - Possible External RDP Brute-Force - Set Verdict