Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A user executed multiple ldap enumeration queries #38147

Open
wants to merge 27 commits into
base: master
Choose a base branch
from
Open

A user executed multiple ldap enumeration queries #38147

wants to merge 27 commits into from

Conversation

idovandijk
Copy link
Contributor

@idovandijk idovandijk commented Jan 14, 2025
edited
Loading

Status

Ready

Related Issues

fixes: https://jira-dc.paloaltonetworks.com/browse/CIAC-12204

Description

This playbook addresses the following alerts:

  • A user executed suspicious LDAP enumeration queries

Playbook Stages:

Triage:

  • Get additional event information about the LDAP searches executed by the user
  • Ensure that a single client IP exists in the alert
  • Get endpoint information for the client IP
  • Check preconditions for continuing investigation based on the number of suspicious attributes, attack tool queries, and vulnerable certificate templates

Investigation:

  • Enrich the user that executed the queries
  • Check if the user was created recently
  • Search for additional discovery alerts in the incident
  • Check user groups and roles to determine if the user is unprivileged
  • Check user querying frequency to detect anomalies
  • Get host risk level
  • Search for recent malware alerts on client IP

Remediation:

  • With analyst approval, disable the user in Active Directory if user-related anomalies are found and the alert is a True Positive.
  • With analyst approval, isolate the endpoint if host-related anomalies are found and the alert is a True Positive.
  • Logoff user from client host if an active session is detected and the alert is a True Positive.

Requirements:

For any response action, you need the following integrations:

  • Core - IR
  • Active Directory Query v2.

A_user_executed_multiple_LDAP_enumeration_queries_Tue_Jan_14_2025

@idovandijk idovandijk requested a review from AdiPeret January 14, 2025 13:04
@content-bot
Copy link
Collaborator

This PR was automatically updated by a GitHub Action

  • CortexResponseAndRemediation pack version was bumped to 1.1.0.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

@content-bot
Copy link
Collaborator

This PR was automatically updated by a GitHub Action

  • CortexResponseAndRemediation pack version was bumped to 1.1.0.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

AdiPeret
AdiPeret reviewed Jan 19, 2025
View reviewed changes
...CortexResponseAndRemediation/Playbooks/A_user_executed_multiple_LDAP_enumeration_queries.yml Outdated Show resolved Hide resolved
...CortexResponseAndRemediation/Playbooks/A_user_executed_multiple_LDAP_enumeration_queries.yml Outdated Show resolved Hide resolved
...CortexResponseAndRemediation/Playbooks/A_user_executed_multiple_LDAP_enumeration_queries.yml Outdated Show resolved Hide resolved
...CortexResponseAndRemediation/Playbooks/A_user_executed_multiple_LDAP_enumeration_queries.yml Outdated Show resolved Hide resolved
...CortexResponseAndRemediation/Playbooks/A_user_executed_multiple_LDAP_enumeration_queries.yml Outdated Show resolved Hide resolved
...CortexResponseAndRemediation/Playbooks/A_user_executed_multiple_LDAP_enumeration_queries.yml Outdated Show resolved Hide resolved
...CortexResponseAndRemediation/Playbooks/A_user_executed_multiple_LDAP_enumeration_queries.yml Outdated Show resolved Hide resolved
...CortexResponseAndRemediation/Playbooks/A_user_executed_multiple_LDAP_enumeration_queries.yml Outdated Show resolved Hide resolved
@content-bot
Copy link
Collaborator

This PR was automatically updated by a GitHub Action

  • CortexResponseAndRemediation pack version was bumped to 1.1.0.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

@content-bot
Copy link
Collaborator

This PR was automatically updated by a GitHub Action

  • CortexResponseAndRemediation pack version was bumped to 1.1.0.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

@idovandijk idovandijk requested a review from AdiPeret January 26, 2025 14:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AdiPeret AdiPeret Awaiting requested review from AdiPeret

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
docs-approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@idovandijk @content-bot @AdiPeret