diff --git a/Packs/Core/Playbooks/playbook-SSO_Password_Spray.yml b/Packs/Core/Playbooks/playbook-SSO_Password_Spray.yml new file mode 100644 index 00000000000..b9c77369b24 --- /dev/null +++ b/Packs/Core/Playbooks/playbook-SSO_Password_Spray.yml @@ -0,0 +1,1352 @@ +id: SSO Password Spray +version: -1 +name: SSO Password Spray +description: |- + Playbook Overview: + This playbook is designed to address the following alerts: + - SSO Password Spray Threat Detected + - SSO Password Spray Activity Observed + - SSO Password Spray Involving a Honey User + + Early Containment: + The playbook will check if the IP is external and suspicious. If it is, the playbook will suggest blocking the IP. + + Investigation: + The playbook will assess the risk score of the user who successfully logged in and examine the legitimacy of the user agent. It will also verify if the user has MFA configured. + + Containment: + If there is a successful login attempt and the user's risk score is high, or if the user agent is detected as suspicious, or if the time intervals were automated, the playbook will clear the user's session. If the user doesn't have 2FA, the playbook will recommend expiring the user's password. + + For any response action, you will need one of the following integrations: + + Microsoft Graph User + Okta. +tags: +- T1110 +- Brute Force +- Compromise Accounts +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 428e71eb-55df-4a65-8aec-d2b4a5caa5d7 + type: start + task: + id: 428e71eb-55df-4a65-8aec-d2b4a5caa5d7 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "29" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1090, + "y": -650 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: e7916327-2ca6-4862-84c4-6562f288e56d + type: playbook + task: + id: e7916327-2ca6-4862-84c4-6562f288e56d + version: -1 + name: Containment Plan - Clear User Sessions + description: |- + ## Containment Plan - Clear User Sessions + + This playbook is a sub-playbook within the containment plan playbook. + The playbook uses the 'Okta v2' and 'MSGraph User' integrations to clear user sessions. + playbookName: Containment Plan - Clear User Sessions + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "40" + scriptarguments: + ClearUserSessions: + simple: "True" + Username: + complex: + root: SuspiciousUsers + transformers: + - operator: Cut + args: + delimiter: + value: + simple: \ + fields: + value: + simple: "2" + - operator: uniq + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 1800, + "y": 1840 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 7aecbe76-273f-4564-805f-3e022d320039 + type: title + task: + id: 7aecbe76-273f-4564-805f-3e022d320039 + version: -1 + name: Investigation + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "17" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1090, + "y": 810 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: 60151642-80c7-4a8d-8523-e4ad49fc0c7e + type: regular + task: + id: 60151642-80c7-4a8d-8523-e4ad49fc0c7e + version: -1 + name: Close alert + description: commands.local.cmd.close.inv + script: Builtin|||closeInvestigation + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "12" + scriptarguments: + id: + simple: ${alert.id} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 420, + "y": 3390 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "12": + id: "12" + taskid: 135f3593-a4ca-4195-8054-2b0501e3cf4e + type: title + task: + id: 135f3593-a4ca-4195-8054-2b0501e3cf4e + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 420, + "y": 3580 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: e64d41dd-1dcc-4d40-8193-54bf4880bfca + type: regular + task: + id: e64d41dd-1dcc-4d40-8193-54bf4880bfca + version: -1 + name: Get login event attempt information + description: Returns information about each alert ID. + script: '|||core-get-cloud-original-alerts' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "35" + scriptarguments: + alert_ids: + complex: + root: alert + accessor: id + transformers: + - operator: uniq + filter_alert_fields: + simple: "false" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1090, + "y": 425 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "14": + id: "14" + taskid: 885d1ae0-3a02-46ee-891d-0177cdce2b17 + type: regular + task: + id: 885d1ae0-3a02-46ee-891d-0177cdce2b17 + version: -1 + name: Check user risk level + description: Gets the risk score of the users that successfully logged in. + script: '|||core-list-risky-users' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "36" + scriptarguments: + user_id: + simple: ${SuccessfulLoginUsernames} + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1360, + "y": 1165 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: d02e94a0-eda1-4729-804c-c17051c8c702 + type: title + task: + id: d02e94a0-eda1-4729-804c-c17051c8c702 + version: -1 + name: Containment + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "21" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1590, + "y": 1530 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "17": + id: "17" + taskid: b95fa692-f074-4cd7-868d-464005a3decb + type: condition + task: + id: b95fa692-f074-4cd7-868d-464005a3decb + version: -1 + name: Were any successful login attempts? + type: condition + iscommand: false + brand: "" + description: "" + nexttasks: + '#default#': + - "9" + "Yes": + - "28" + - "14" + - "39" + separatecontext: false + conditions: + - label: "Yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: SuccessfulLoginUsernames + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 1090, + "y": 970 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "21": + id: "21" + taskid: 7da596f4-aa21-49e1-8640-366e9803b7cf + type: condition + task: + id: 7da596f4-aa21-49e1-8640-366e9803b7cf + version: -1 + name: Is the user agent suspicious or user risk score high? + type: condition + iscommand: false + brand: "" + description: "" + nexttasks: + '#default#': + - "9" + "Yes": + - "2" + separatecontext: false + conditions: + - label: "Yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: SuspiciousUsers + iscontext: true + right: + value: {} + - operator: isTrue + left: + value: + simple: IntervalAnalysis.IsPatternLikelyAutomated + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1590, + "y": 1660 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: 8114af51-b7f4-4458-8112-b157ea743c51 + type: regular + task: + id: 8114af51-b7f4-4458-8112-b157ea743c51 + version: -1 + name: Get user MFA factors + description: Returns all the enrolled factors for the specified user. + script: '|||okta-get-user-factors' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "38" + scriptarguments: + extend-context: + simple: MFAResult= + username: + complex: + root: Core.OriginalAlert._all_events + filters: + - - operator: containsGeneral + left: + value: + simple: Core.OriginalAlert._all_events.identity + iscontext: true + right: + value: + simple: SuspiciousUsers + iscontext: true + accessor: auth_identity + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2070, + "y": 2250 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: b06185f2-9dba-4416-8d88-d12f3ee05c11 + type: condition + task: + id: b06185f2-9dba-4416-8d88-d12f3ee05c11 + version: -1 + name: Found users without MFA? + type: condition + iscommand: false + brand: "" + description: "" + nexttasks: + '#default#': + - "9" + "Yes": + - "24" + separatecontext: false + conditions: + - label: "Yes" + condition: + - - operator: isEmpty + left: + value: + simple: Account.ID + iscontext: true + right: + value: {} + - operator: isNotEmpty + left: + value: + simple: UsersWithoutMFA + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 2070, + "y": 2610 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: 167f7ac9-9848-4247-8e6a-808d3838d537 + type: collection + task: + id: 167f7ac9-9848-4247-8e6a-808d3838d537 + version: -1 + name: Select the users to set password expiration + type: collection + iscommand: false + brand: "" + description: "" + nexttasks: + '#none#': + - "25" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2280, + "y": 2790 + } + } + note: false + timertriggers: [] + ignoreworker: false + message: + to: + subject: + body: + methods: [] + format: "" + bcc: + cc: + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + completeafterv2: true + completeaftersla: false + form: + questions: + - id: "0" + label: "" + labelarg: + simple: Select the user to set password expiration + required: false + gridcolumns: [] + defaultrows: [] + type: multiSelect + options: [] + optionsarg: + - simple: ${UsersWithoutMFA} + fieldassociated: "" + placeholder: "" + tooltip: "" + readonly: false + title: Select the user for which you want to set a password expiration + description: Decide whether the password should be expired for users who have successfully logged in. + sender: "" + expired: false + totalanswers: 0 + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "25": + id: "25" + taskid: a30220a7-b971-43b6-8ccb-e6a003ad5a80 + type: condition + task: + id: a30220a7-b971-43b6-8ccb-e6a003ad5a80 + version: -1 + name: Was any user selected? + type: condition + iscommand: false + brand: "" + description: "" + nexttasks: + '#default#': + - "9" + "Yes": + - "46" + separatecontext: false + conditions: + - label: "Yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: Select the user for which you want to set a password expiration.Answers.0 + iscontext: true + right: + value: {} + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 2280, + "y": 2960 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "28": + id: "28" + taskid: cc15491b-020c-4644-886d-59e7a92e2471 + type: regular + task: + id: cc15491b-020c-4644-886d-59e7a92e2471 + version: -1 + name: Check if the involved user agent is suspicious + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "37" + scriptarguments: + key: + simple: UsersWithSuspiciousUserAgent + value: + complex: + root: Core.OriginalAlert._all_events + filters: + - - operator: match + left: + value: + simple: Core.OriginalAlert._all_events.action_user_agent + iscontext: true + right: + value: + simple: \b(Python-urllib|libwww-perl|Scrapy|curl|Wget|sqlmap|Nikto|Xrumer|Hydra|JohnTheRipper|LOIC|HOIC|MJ12bot|Baiduspider|BlackWidow|HeadlessChrome|PhantomJS|Selenium)\b + accessor: identity + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1810, + "y": 1165 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: 095c8cb2-59d8-45d8-80e8-da6c188cd1db + type: title + task: + id: 095c8cb2-59d8-45d8-80e8-da6c188cd1db + version: -1 + name: 'Triage ' + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "30" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1090, + "y": -500 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: bb7e26e7-71c9-4269-83f5-ac140ec63f99 + type: regular + task: + id: bb7e26e7-71c9-4269-83f5-ac140ec63f99 + version: -1 + name: 'Check IP reputation ' + description: Checks the reputation of an IP address. + script: '|||ip' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "31" + scriptarguments: + ip: + complex: + root: alert + accessor: localip + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1090, + "y": -370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: 044a39e8-a5a5-42eb-8df7-f4e63eb92451 + type: condition + task: + id: 044a39e8-a5a5-42eb-8df7-f4e63eb92451 + version: -1 + name: 'Is the IP malicious? ' + type: condition + iscommand: false + brand: "" + description: "" + nexttasks: + '#default#': + - "44" + "yes": + - "32" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: DBotScore + filters: + - - operator: greaterThan + left: + value: + simple: DBotScore.Score + iscontext: true + right: + value: + simple: "2" + - - operator: isEqualString + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: IP + ignorecase: true + - - operator: isEqualString + left: + value: + simple: DBotScore.Indicator + iscontext: true + right: + value: + simple: alert.localip + iscontext: true + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1090, + "y": -200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "32": + id: "32" + taskid: 20c0aa3f-6a69-42e9-87bb-67d1ef80431c + type: title + task: + id: 20c0aa3f-6a69-42e9-87bb-67d1ef80431c + version: -1 + name: Early Containment + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "42" + - "44" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 640, + "y": 0 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: 47053318-6590-4910-8f9b-5bd04eb82724 + type: regular + task: + id: 47053318-6590-4910-8f9b-5bd04eb82724 + version: -1 + name: Set users with successful login + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + key: + simple: SuccessfulLoginUsernames + value: + complex: + root: Core.OriginalAlert._all_events + filters: + - - operator: isEqualString + left: + value: + simple: Core.OriginalAlert._all_events.auth_outcome + iscontext: true + right: + value: + simple: SUCCESS + accessor: identity + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1090, + "y": 620 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "36": + id: "36" + taskid: 75fc378e-64e6-4694-89a3-cb6c81b18c32 + type: regular + task: + id: 75fc378e-64e6-4694-89a3-cb6c81b18c32 + version: -1 + name: Set risky users that logged in (if exist) + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "16" + scriptarguments: + key: + simple: SuspiciousUsers + value: + complex: + root: Core.RiskyUser + filters: + - - operator: isEqualString + left: + value: + simple: Core.RiskyUser.score + iscontext: true + right: + value: + simple: HIGH + ignorecase: true + accessor: id + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1360, + "y": 1350 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "37": + id: "37" + taskid: 859ffdde-c1c0-4976-836f-5d8029d80f28 + type: regular + task: + id: 859ffdde-c1c0-4976-836f-5d8029d80f28 + version: -1 + name: Set users who used a suspicious user agent + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "16" + scriptarguments: + append: + simple: "true" + key: + simple: SuspiciousUsers + value: + complex: + root: UsersWithSuspiciousUserAgent + filters: + - - operator: in + left: + value: + simple: UsersWithSuspiciousUserAgent + iscontext: true + right: + value: + simple: SuccessfulLoginUsernames + iscontext: true + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1810, + "y": 1350 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "38": + id: "38" + taskid: a3550d82-11bd-4e53-829a-d5216a317e66 + type: regular + task: + id: a3550d82-11bd-4e53-829a-d5216a317e66 + version: -1 + name: Set users without MFA + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "23" + scriptarguments: + key: + simple: UsersWithoutMFA + value: + complex: + root: Core.OriginalAlert._all_events + filters: + - - operator: notContainsGeneral + left: + value: + simple: Core.OriginalAlert._all_events.auth_identity + iscontext: true + right: + value: + simple: Account.Factor.Profile.credentialId + iscontext: true + - - operator: in + left: + value: + simple: Core.OriginalAlert._all_events.identity + iscontext: true + right: + value: + simple: SuspiciousUsers + iscontext: true + accessor: auth_identity + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2070, + "y": 2420 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "39": + id: "39" + taskid: 33ae71fb-e0ad-4dc5-8f48-5fbfcfb9892d + type: regular + task: + id: 33ae71fb-e0ad-4dc5-8f48-5fbfcfb9892d + version: -1 + name: Analyze intervals of login attempts + description: Analyze a list of Unix timestamps in milliseconds, to detect simple patterns of consistency or high frequency. The script can aid in the investigation of multi-event alerts that contain a list of timestamps. + scriptName: AnalyzeTimestampIntervals + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "16" + scriptarguments: + timestamps: + simple: ${Core.OriginalAlert._all_events.event_timestamp} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2240, + "y": 1165 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "40": + id: "40" + taskid: dec75ec0-4d72-49ff-8794-b14666ef5a1b + type: condition + task: + id: dec75ec0-4d72-49ff-8794-b14666ef5a1b + version: -1 + name: Check the log source + type: condition + iscommand: false + brand: "" + description: "" + nexttasks: + '#default#': + - "9" + Okta: + - "22" + separatecontext: false + conditions: + - label: Okta + condition: + - - operator: isEqualString + left: + value: + simple: Core.OriginalAlert.raw_abioc.event.vendor + iscontext: true + right: + value: + simple: Okta + continueonerrortype: "" + view: |- + { + "position": { + "x": 1800, + "y": 2020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "42": + id: "42" + taskid: 8e75e947-1d41-4376-84b3-d7ce3fd5d82e + type: condition + task: + id: 8e75e947-1d41-4376-84b3-d7ce3fd5d82e + version: -1 + name: Manual - block the source ip? + type: condition + iscommand: false + brand: "" + description: "" + nexttasks: + Else: + - "9" + "yes": + - "45" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 420, + "y": 175 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "44": + id: "44" + taskid: 4a435a03-9f16-4d4a-85d1-7244fc0a3223 + type: title + task: + id: 4a435a03-9f16-4d4a-85d1-7244fc0a3223 + version: -1 + name: Continue Playbook + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "13" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1090, + "y": 190 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "45": + id: "45" + taskid: 546da2af-656b-4826-8edb-de899cb1c14d + type: playbook + task: + id: 546da2af-656b-4826-8edb-de899cb1c14d + version: -1 + name: PAN-OS - Block IP + description: |- + This playbook blocks IP addresses with 2 optional actions: + + - Block IP addresses using Static Address Groups in Palo Alto Networks Panorama or Firewall. The playbook receives malicious IP addresses and an address group name as inputs, verifies that the addresses are not already a part of the address group, adds them and commits the configuration. + + - Utilize the Dynamic Address Group (DAG) capability of PAN-OS. DAG enables analysts to create a rule one time, where the group is the source/destination, and adds IP addresses dynamically without the need to commit the configuration every time. + The playbook checks if the given tag already exists. If the tag exists, then the IP address is added to the tag. + If the tag does not exist, a new address group is created with the given tag and a matching rule, and the configuration is committed. + playbookName: PAN-OS - Block IP + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "9" + scriptarguments: + MaliciousIPs: + complex: + root: alert + accessor: localip + transformers: + - operator: uniq + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 200, + "y": 370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "46": + id: "46" + taskid: 8b2f636e-8ce3-4d80-8756-a07dfafb7d4a + type: regular + task: + id: 8b2f636e-8ce3-4d80-8756-a07dfafb7d4a + version: -1 + name: Okta expire password + description: Expires the password for a user in Okta. + script: '|||okta-expire-password' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "9" + scriptarguments: + username: + complex: + root: Select the user for which you want to set a password expiration.Answers + accessor: "0" + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2280, + "y": 3180 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "17_14_Yes": 0.52, + "17_28_Yes": 0.7, + "17_9_#default#": 0.14, + "21_2_Yes": 0.57, + "21_9_#default#": 0.18, + "23_9_#default#": 0.11, + "25_46_Yes": 0.59, + "25_9_#default#": 0.15, + "31_44_#default#": 0.5, + "40_9_#default#": 0.16, + "42_45_yes": 0.48, + "42_9_Else": 0.13 + }, + "paper": { + "dimensions": { + "height": 4295, + "width": 2460, + "x": 200, + "y": -650 + } + } + } +inputs: [] +inputSections: +- inputs: [] + name: General (Inputs group) + description: Generic group for inputs +outputSections: +- outputs: [] + name: General (Outputs group) + description: Generic group for outputs +outputs: [] +tests: +- No tests (auto formatted) +marketplaces: ["marketplacev2"] +fromversion: 6.10.0 diff --git a/Packs/Core/Playbooks/playbook-SSO_Password_Spray_README.md b/Packs/Core/Playbooks/playbook-SSO_Password_Spray_README.md new file mode 100644 index 00000000000..f4b4493334d --- /dev/null +++ b/Packs/Core/Playbooks/playbook-SSO_Password_Spray_README.md @@ -0,0 +1,64 @@ +Playbook Overview: +This playbook is designed to address the following alerts: +- SSO Password Spray Threat Detected +- SSO Password Spray Activity Observed +- SSO Password Spray Involving a Honey User + +Early Containment: +The playbook will check if the IP is external and suspicious. If it is, the playbook will suggest blocking the IP. + +Investigation: +The playbook will assess the risk score of the user who successfully logged in and examine the legitimacy of the user agent. It will also verify if the user has MFA configured. + +Containment: +If there is a successful login attempt and the user's risk score is high, or if the user agent is detected as suspicious, or if the time intervals were automated, the playbook will clear the user's session. If the user doesn't have 2FA, the playbook will recommend expiring the user's password. + +For any response action, you will need one of the following integrations: + +Microsoft Graph User +Okta. + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +* PAN-OS - Block IP +* Containment Plan - Clear User Sessions + +### Integrations + +* CoreIOCs +* CortexCoreXQLQueryEngine +* CortexCoreIR + +### Scripts + +* AnalyzeTimestampIntervals +* SetAndHandleEmpty + +### Commands + +* okta-expire-password +* core-get-cloud-original-alerts +* core-list-risky-users +* ip +* okta-get-user-factors +* closeInvestigation + +## Playbook Inputs + +--- +There are no inputs for this playbook. + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![SSO Password Spray](../doc_files/SSO_Password_Spray.png) diff --git a/Packs/Core/ReleaseNotes/3_0_70.md b/Packs/Core/ReleaseNotes/3_0_70.md new file mode 100644 index 00000000000..de3bee4af2c --- /dev/null +++ b/Packs/Core/ReleaseNotes/3_0_70.md @@ -0,0 +1,42 @@ + +#### Playbooks + +##### New: SSO Password Spray + +- New: Playbook Overview: +This playbook is designed to address the following alerts: +- SSO Password Spray Threat Detected +- SSO Password Spray Activity Observed +- SSO Password Spray Involving a Honey User + +Early Containment: +The playbook will check if the IP is external and suspicious. If it is, the playbook will suggest blocking the IP. + +Investigation: +The playbook will assess the risk score of the user who successfully logged in and examine the legitimacy of the user agent. It will also verify if the user has MFA configured. + +Containment: +If there is a successful login attempt and the user's risk score is high, or if the user agent is detected as suspicious, or if the time intervals were automated, the playbook will clear the user's session. If the user doesn't have 2FA, the playbook will recommend expiring the user's password. + +For any response action, you will need one of the following integrations: + +Microsoft Graph User +Okta. + +#### Triggers Recommendations + +##### New: SSO Password Spray + +- New: This trigger is responsible for handling SSO Password Spray alerts<~XSIAM> (Available from Cortex XSIAM %%XSIAM_VERSION%%). + +##### New: SSO Password Spray + +- New: This trigger is responsible for handling SSO Password Spray alerts<~XSIAM> (Available from Cortex XSIAM %%XSIAM_VERSION%%). + +##### Suspicious SaaS Access From a TOR Exit Node + +- %%UPDATE_RN%% + +##### New: SSO Password Spray + +- New: This trigger is responsible for handling SSO Password Spray alerts<~XSIAM> (Available from Cortex XSIAM %%XSIAM_VERSION%%). diff --git a/Packs/Core/Triggers/Suspicious_SaaS_Access_From_a_TOR_Exit_Node.json b/Packs/Core/Triggers/Suspicious_SaaS_Access_From_a_TOR_Exit_Node.json index 3a8c85a51be..0fd937bf990 100644 --- a/Packs/Core/Triggers/Suspicious_SaaS_Access_From_a_TOR_Exit_Node.json +++ b/Packs/Core/Triggers/Suspicious_SaaS_Access_From_a_TOR_Exit_Node.json @@ -17,7 +17,7 @@ { "SEARCH_FIELD": "alert_name", "SEARCH_TYPE": "CONTAINS", - "SEARCH_VALUE": "Suspicious SaaS API call from a Tor exit node via Mobile Device " + "SEARCH_VALUE": "Suspicious SaaS API call from a Tor exit node via Mobile Device" }, { "SEARCH_FIELD": "alert_name", diff --git a/Packs/Core/Triggers/Trigger_-_SSO_Password_Spray.json b/Packs/Core/Triggers/Trigger_-_SSO_Password_Spray.json new file mode 100644 index 00000000000..88f21bebaec --- /dev/null +++ b/Packs/Core/Triggers/Trigger_-_SSO_Password_Spray.json @@ -0,0 +1,32 @@ +{ + "trigger_id": "461746d489017d070d0ac7ffc7fec57d", + "playbook_id": "SSO Password Spray", + "suggestion_reason": "Recommended for SSO Password Spray alerts", + "description": "This trigger is responsible for handling SSO Password Spray alerts", + "trigger_name": "SSO Password Spray", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "SSO Password Spray Threat Detected" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "SSO Password Spray Activity Observed" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "SSO Password Spray Involving a Honey User" + } + ] + } + ] + } + } +} \ No newline at end of file diff --git a/Packs/Core/doc_files/SSO_Password_Spray.png b/Packs/Core/doc_files/SSO_Password_Spray.png new file mode 100644 index 00000000000..c33e658efd5 Binary files /dev/null and b/Packs/Core/doc_files/SSO_Password_Spray.png differ diff --git a/Packs/Core/pack_metadata.json b/Packs/Core/pack_metadata.json index f4132e53057..8d4b5058476 100644 --- a/Packs/Core/pack_metadata.json +++ b/Packs/Core/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Core - Investigation and Response", "description": "Automates incident response", "support": "xsoar", - "currentVersion": "3.0.69", + "currentVersion": "3.0.70", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",