Port Scan - Internal Source

Remediates port scans originating within the network.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • Block IP - Generic v2
  • PANW - Hunting and threat detection by indicator type V2
  • Isolate Endpoint - Generic
  • Account Enrichment - Generic v2.1
  • Calculate Severity - Generic v2
  • Active Directory - Get User Manager Details
  • Block File - Generic v2
  • Splunk Indicator Hunting
  • QRadar Indicator Hunting V2

Integrations

  • Builtin

Scripts

  • SetAndHandleEmpty

Commands

  • xdr-get-endpoints
  • setIncident

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
BlockAttackerIPWhether attacking IPs should be automatically blocked using firewalls.FalseRequired
WhitelistedHostnamesA list of hostnames that should not be isolated even if used in an attack.Optional
IsolateEndpointIfCriticalIncidentWhether to automatically isolate endpoints if the severity is critical and the endpoint is not on the WhitelistedHostnames input, or opt for manual user approval. True means isolation will be done automatically if the conditions are met.FalseRequired
RoleForEscalationThe name of the Cortex XSOAR role of the users that the incident can be escalated to, in case of developments like lateral movement.Optional
BlockMaliciousFilesWhether to automatically block malicious files involved with the incident across all endpoints in the organization.FalseRequired
InternalSourceIPsThe internal IP address(es) that performed the port scan. In order to properly respond to internal scans, either this or the SourceHostnames input has to be filled with data.Optional
SourceHostnamesThe source hostname(s) that performed the port scan. In order to properly respond to internal scans, either this or the InternalSourceIPs input has to be filled with data.Optional
SourceUsernamesThe Active Directory username(s) that were used in the port scan attack.Optional
InvolvedFileMD5MD5 hashes of files that were involved in the port scan incident.Optional
InvolvedFileSHA1SHA1 hashes of files that were involved in the port scan incident.Optional
InvolvedFileSHA256SHA256 hashes of files that were involved in the port scan incident.Optional
DBotScoreAll the DBotScores that were calculated either automatically by auto-reputation, or using specific tasks, when the incident was ingested. This is used to calculate the incident severity at a later stage.NoneDBotScoreOptional

Playbook Outputs


There are no outputs for this playbook.

Playbook Image


Playbook Image