NGFW Internal Scan

This playbook investigates a scan where the source is an internal IP address. An attacker might initiate an internal scan for discovery, lateral movement and more. **Attacker's Goals:** An attacker can leverage a scan for open ports and vulnerable systems on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services. **Investigative Actions:** * Endpoint Investigation Plan playbook **Response Actions** The playbook's response actions are based on the Endpoint Investigation Plan playbook results. In that phase, the playbook will execute: * Auto endpoint isolation * Manual block indicators * Manual file quarantine

Core · 16 tasks · 23 inputs · 0 outputs

Inputs

  • scannerIP — The scanner IP address
  • AutoCloseAlert — Whether to close the alert automatically or manually, after an analyst's review.
  • AutoContainment — Whether to execute automatically or manually the containment plan tasks: * Block indicators * Quarantine file * Disable user
  • HostAutoContainment — Whether to execute endpoint isolation automatically or manually.
  • ShouldOpenTicket — Whether to open a ticket automatically in a ticketing system. (True/False).
  • serviceNowShortDescription — A short description of the ticket.
  • serviceNowImpact — The impact for the new ticket. Leave empty for ServiceNow default impact.
  • serviceNowUrgency — The urgency of the new ticket. Leave empty for ServiceNow default urgency.
  • serviceNowSeverity — The severity of the new ticket. Leave empty for ServiceNow default severity.
  • serviceNowTicketType — The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".
  • serviceNowCategory — The category of the ServiceNow ticket.
  • serviceNowAssignmentGroup — The group to which to assign the new ticket.
  • ZendeskPriority — The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".
  • ZendeskRequester — The user who requested this ticket.
  • ZendeskStatus — The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".
  • ZendeskSubject — The value of the subject field for this ticket.
  • ZendeskTags — The array of tags applied to this ticket.
  • ZendeskType — The type of this ticket. Allowed values are "problem", "incident", "question", or "task".
  • ZendeskAssigne — The agent currently assigned to the ticket.
  • ZendeskCollaborators — The users currently CC'ed on the ticket.
  • description — The ticket description.
  • addCommentPerEndpoint — Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.
  • CommentToAdd — Comment for the ticket.

Commands used

closeInvestigation setParentIncidentFields

Flowchart

yes Yes yes Start Start Account Enrichment - Generic v2.1 - Account Enrichment - Generic v2.1 Account Enrichment - Gene... Account Enrichment - Generic ... Enrichment Enrichment Investigation Investigation Remediation Remediation Containment Plan - Containment Plan Containment Plan Containment Plan Was other activity found for the scanning host? Was other activity found ... Should close the alert? Should close the alert? Continue with the investigation Continue with the investi... Done Done Close alert - closeInvestigation Close alert closeInvestigation Endpoint Investigation Plan - Endpoint Investigation Plan Endpoint Investigation Plan Endpoint Investigation Plan Set Alert Severity to High - setParentIncidentFields Set Alert Severity to High setParentIncidentFields Should open a ticket automatically in a ticketing system? Should open a ticket auto... Ticket Management - Generic - Ticket Management - Generic Ticket Management - Generic Ticket Management - Generic Endpoint Enrichment - Generic v2.1 - Endpoint Enrichment - Generic v2.1 Endpoint Enrichment - Gen... Endpoint Enrichment - Generic...