- Home
- Play books
- Cisco Duo - Multiple failed logon attempts
Cisco Duo - Multiple failed logon attempts
In this page
Playbook Description
This playbook analyzes failed logon reasons, checks IP reputation, blocks malicious IPs, verifies successful logons, assesses device health, disables compromised accounts, and notifies the security team.
MITRE ATT&CK mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Credential Access(TA0006) | Brute Force(T1110) | Password Guessing(T1110.001) |
MITRE D3FEND mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Harden(D3-Harden) | Application Hardening(D3-AH) | Application Configuration Hardening(D3-ACH) |
Playbook input type
Alert
Prerequisites
- VirusTotal API - Need to connect with VirusTotal API and fetch access key to check the malware IPdetails.
- Cisco Duo configuration - Need to connect Cisco Duo using HMAC connection with Integration and secret key.
Playbook creation input
- connectionName - Provide the VirusTotal connection name for executing the VirusTotal APIs
Dependencies
Extensions - VirusTotal
- virustotal_ipReputation
- virustotal_calculateRiskScore
- ciscoduo_modifyUser
- ciscoduo_retrieveEndpointById
Extensions - Cisco Duo
- ciscoduo_modifyUser
- ciscoduo_retrieveEndpointById
Utility functions:
- utility_parseAggregateLog
- utility_compareListElements
- utility_analyseDeviceHealthResult
- utility_extractMaliciousEntitiesByRiskScore
- utility_getRequiredTime
- utility_convertTimeToUTC
- utility_convertToString
- utility_sendMail
Connections
VirusTotal connection - Need to connect with VirusTotal API and fetch access key to check the malware IP/URL/File details.
Cisco Duo connection - Need to connect Cisco Duo using Integration Key, Secret Key and API Hostname.
Sub playbooks
- Cisco Duo - Block IP
Execution workflow
Investigation:
- Fetches the reason from aggregated log.
- Checks the logon failure reason.
Decision logic:
- Proceeds to remediation based on the following conditions:
- Related investigation findings are present.
- If no malicious indicators are confirmed, the playbook ends with no further actions.
Remediation:
- Parses the IP address.
- Checks the IP reputation in batch.
- Calculates the IP risk score in batch.
- Identifies malicious entities based on their risk scores.
- Checks whether IP is malicious.
- Executes the "Cisco Duo - Block IP" sub-playbook.
- Checks for the successful logon.
- Checks whether successful logon exists.
- Checks the device health.
- Analyzes endpoint details.
- Checks whether device is malicious.
- Formats input for disabling user.
- Disables the user.
- Passes user and logon handling.
- Validates that all remediation actions are completed successfully.
- Builds the mail subject.
- Builds the notification email with the analysis results.
- Sends a notification email regarding the actions taken and required next steps.
Post execution procedure
- Review blocked IP addresses to ensure no legitimate traffic was affected.
- Investigate whether the compromised account was used to access any sensitive applications.
- Review Cisco Duo authentication logs for additional unauthorized access attempts.
- Verify device health status and assess whether compromised devices need remediation.
- Consider enforcing additional MFA factors for the affected user before re-enabling access.
- Audit other accounts for similar failed logon patterns.
