SIEM - Search for Failed logins
Common Playbooks Pack.#
This Playbook is part of theSupported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
This playbook searches for failed logon on a specific user by querying logs from different sources.
Supported Integrations: -Splunk -QRadar -Azure Log Analytics.
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooksThis playbook does not use any sub-playbooks.
#
IntegrationsThis playbook does not use any integrations.
#
Scripts- CountArraySize
- Set
#
Commands- qradar-search-retrieve-events
- azure-log-analytics-execute-query
- splunk-search
#
Playbook InputsName | Description | Default Value | Required |
---|---|---|---|
SplunkIndex | Splunk's index name in which to search. Default is "*" - All. | * | Optional |
SplunkEarliestTime | The earliest time for the Splunk search query. | -1d | Optional |
SplunkLatestTime | The latest time for the Splunk search query. | now | Optional |
QRadarSearchTime | The Search Time for the QRadar search query. for example: Last 1 days | Last 1 days | Optional |
AzureSearchTime | The Search Time for the Azure Log Analytics search query. for example: ago(1d) | ago(1d) | Optional |
Username | User name. | Optional |
#
Playbook OutputsPath | Description | Type |
---|---|---|
NumOfSiemFailedLogon | Number of failed login from Siem. | unknown |
QRadar.SearchEvents | The result of the QRadar search. | unknown |
Splunk.Result | The results of the Splunk search. The results are a JSON array, in which each item is a Splunk event. | unknown |
AzureFailedLogonLogs | The result of the Azure Log Analytics search. | unknown |