-
Notifications
You must be signed in to change notification settings - Fork 377
/
Copy pathexcessive_account_lockouts_enrichment.json
50 lines (50 loc) · 2.03 KB
/
excessive_account_lockouts_enrichment.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
{
"creation_date": "2017-08-17",
"data_metadata": {
"data_models": [
"Change"
],
"data_source": [
"Windows Event Logs"
],
"providing_technologies": [
"Microsoft Windows"
]
},
"description": "This Playbook is part of the Splunk Analytic Story called Account Monitoring and Controls. It is made to be run when the Detection Search within that story called \"Detect Excessive Account Lockouts From Endpoint\" is used to identify a potential attack in which multiple Active Directory user accounts are locked out from logging in because an adversary attempted incorrect credentials repeatedly against many user accounts. This Playbook runs the Context-gathering and Investigative searches linked in the Splunk Analytic Story to enrich the event with a broad array of information about the users and computers involved. Then the Playbook uses Windows Remote Management to login to the source of the lockouts, gather more information, and allow Phantom to shutdown the server after prompting an analyst or responder.",
"how_to_implement": "Import playbook into phantom",
"id": "ab62b5c1-95d4-4e71-8fd7-53a55db33da4",
"investigate": {
"phantom": {
"phantom_server": "automation (hostname)",
"playbook_name": "community/excessive_account_lockouts_enrichment_and_response",
"playbook_url": "https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/",
"schedule": {
"cron_schedule": "0 * * * *",
"earliest_time": "-4h@h",
"latest_time": "-5m@m"
},
"sensitivity": "green",
"severity": "medium"
}
},
"maintainers": [
{
"company": "Splunk",
"email": "bpatel@splunk.com",
"name": "Bhavin Patel"
}
],
"modification_date": "2019-02-14",
"name": "Excessive Account Lockouts Enrichment And Response",
"original_authors": [
{
"company": "Splunk",
"email": "bpatel@splunk.com",
"name": "Bhavin Patel"
}
],
"spec_version": 2,
"type": "phantom",
"version": "2.0"
}