Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Brute Force - External Login Password Spray - Playbook + Triggers #36536

Merged
merged 23 commits into from
Oct 7, 2024
Merged

Brute Force - External Login Password Spray - Playbook + Triggers #36536

merged 23 commits into from
Oct 7, 2024

Conversation

idovandijk
Copy link
Contributor

@idovandijk idovandijk commented Sep 26, 2024
edited
Loading

Status

  • In Progress
  • Ready
  • In Hold

Related Issues

fixes: https://jira-dc.paloaltonetworks.com/browse/CIAC-11361

Description

New playbook to respond to successful/non-successful external login password sprays. Designed to handle the following alerts:

  • External Login Password Spray
  • Successful External Login Password Spray
  • External Login Password Spray on a Domain Controller
  • External Login Password Spray Involving a Honey User
  • Successful External Login Password Spray on a Domain Controller
  • Successful External Login Password Spray on a sensitive server

External_Login_Password_Spray

@idovandijk idovandijk added the bypass.url Whether to create build bucket, add this label for marketplace.bootstrap.bypass.url label Oct 1, 2024
@content-bot
Copy link
Collaborator

This PR was automatically updated by a GitHub Action

  • Core pack version was bumped to 3.0.70.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

umishkin
umishkin reviewed Oct 1, 2024
View reviewed changes
Copy link
Contributor

@umishkin umishkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tags should be [Technique - Name], [Tactic - Name]

@ShirleyDenkberg
Copy link
Contributor

@umishkin @AdiPeret Doc review completed.

@idovandijk
Copy link
Contributor Author

Updated with notes from reviews and technical writer suggestions. Changed status to: Waiting for PAN-OS - Block IP.

@idovandijk
Slightly modified the regex to catch usernames that don't have '\', e…
5ebdb2d 
…ven though risky users are returned with the domain part (and we only expire risky users)
@idovandijk idovandijk merged commit 873d097 into master Oct 7, 2024
18 checks passed
@idovandijk idovandijk deleted the external-login-password-spray branch October 7, 2024 08:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ShirleyDenkberg ShirleyDenkberg ShirleyDenkberg left review comments

@AdiPeret AdiPeret AdiPeret approved these changes

@umishkin umishkin Awaiting requested review from umishkin

Assignees

@ShirleyDenkberg ShirleyDenkberg

Labels
bypass.url Whether to create build bucket, add this label for marketplace.bootstrap.bypass.url docs-approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@idovandijk @content-bot @ShirleyDenkberg @AdiPeret @umishkin