ROBO is a system generated user which is assigned as a default owner to an ActOn. Once a ROBO is assigned as a owner, auto validation system validates the generated ActOn whether it is a false positive or not. If it is false positive, then ROBO closes the ActOn without any further actions on the ActOn. If it is a true positive, then ROBO forwards the ActOn to respective SOC analyst to remediate the issue generated in the IT Infrastructure.
For example, CPU usage crosses a threshold limit (say 90%), an ActOn is generated and assigned ROBO as a Owner. Auto validation system cross checks the ActOn whether CPU usage limit crosses a threshold limit or not. If the ActOn reaches a threshold limit, then it will be forwarded to a respective SOC analyst otherwise ROBO will close the ActOn.
Functions of a ROBO
In a nutshell, a ROBO can respond to the following activities, however all responses are not automated.
- Check on following machine(s), if a new script/app was installed on assets. Failed logins can be because of a non-existant/mis-spelled account.
- Run a full anti-virus scan on below hosts
- Correct the logging configuration on following sources
- Checking if IP(s) are/were associated with a known C2 server
- Determine if multiple attack sources.
- On source Machine , check for script using username , if the user account is genuine provide correct credetials and unlock user account.
- Determine Service Names
- Isolate the affected network subnets
- Determine commom vulnerabilities between threat and asset
- Determine FQDNs
- Determine if the IP(s) are whitelisted
- Determine if the Domain(s) are whitelisted
- Determine action on threats
- Is the login initiated by a well known windows process
- Find all the unique usernames being attempted
- Enable MFA for user(s)
- Determine if a privileged account is under attack
- On following machine(s), check for periodic script execution related issues
- Update the host\'s Antivirus if it is not Upto Date.
- Determine if host(s) have high risk score
- Determine threat(s) file paths
- Determine threat(s) type
- Determine the host\'s Antivirus status.
- Block the following port on perimeter firewall
- Check IP(s) for public Scanner
- Determine if the asset(s) are critical asset
- Check IP details
- Determine if multiple assets are under attack.
- Possible removal instructions for {malware} malware
- Check if SMB scan performed
- Checking events Other than traffic logs
- Checking if the login succeeded on any target asset using any of the usernames attempted
- Determine user(s) belongs to your domain
- Determine if the service(s) under attack should be exposed on the internet
- Determine user(s) status
- Determine IP Threat Intel Label(s)
- Determine if the users(s) are critical user
- Checking domain(s) associated with malware
- Patch critical vulnerabilities on host(s)
- Determine threat action
- Checking if IP(s) are/were associated with malware
- Isolate and scan the system for malware
- Determine communication type
- Determine File Names
- Determine traffic action
- Resolving ip for fqdn
- User should use strong and unique password for online accounts
- Determine IP Threat Intel category(s)
- Check if Internal scan performed on well known ports
- Determine Process Names
- Determine hash detections from ViusTotal
- Check IP(s) for TOR exit node
- Checking the role of host assets
- Checking if domain is part of CDN
- Determine if IP(s) are associated with CnC
- Determine if Domain(s) are associated with CnC
- Determine if a login attempt was successful on target host
- Determine Logon type
- Determine Destination Ports
- Determine threat(s) name
- Determine if a security audit/VAPT was initiated from below IP address
- Determine threat(s) active status
- Find all the unique ports/services under attack
- Determine Protocol Names
- Determine Applications Names
- Determine Destination IPs
- Determine User Names
- Checking Domain
- Reimage system
- Determine threat(s) hash
- Determine Source IPs
- Determine if the IP address is a VPN
- Determine Urls
- Determine if IP(s) belongs to CDN
- Determine whitelisted IP(s)
- Determine CVE associated with threats
- Firewall unnecessary service(s) exposed on the internet
- Determine malicious activity associated with ip(s)
- Checking IP(s) associated with malware
- Checking Domain(s) associated with malware
- Determine common ports between various targets in this attack
- Determine the following ports should be exposed on Public asset
- Block below IP(s) on perimeter firewall
- Checking IP(s) roles
- Checking AbuseIPDB
- Checking if IP(s) are part of CDN
- Checking if Domain(s) are part of CDN
- Mapping FQDN to IP address
- Determine threat(s) labels
- Determine if the host(s) have critical vulnerabilities
- Determine if IP(s) are sinkholed
- Determine Log Source name and type
Special tasks in logstopage model
- Checking Log Source Name
- Checking Log Source Group
- Checking last Log time
- Checking EPS Group
- Checking last checked time
- Checking Log Source Type
Comments
0 comments
Please sign in to leave a comment.