PromptBase
Upgrade
Close icon
General
Home
Marketplace
Create
Hire
Login
Chat
Sell
Explore

Prompt Details

Model
(gemini-3.1-pro)
Token size
455
Example input
[Threat Scenario/Alert Type]: Multiple Failed Login Attempts Followed by Success (Brute Force) [Target System/Environment]: Corporate VPN Gateway (Active Directory Integrated) [Severity Level]: High
Example output
# IR Playbook: Multiple Failed Login Attempts Followed by Success (Brute Force) ## 1. Threat Overview - **Severity:** High - **Target Environment:** Corporate VPN Gateway (Active Directory Integrated) - **Description:** An attacker attempts to guess a user's password through automated or manual brute-forcing. A subsequent successful login indicates the attacker has compromised the credentials and gained access to the internal network. ## 2. Required Log Collection - Windows Active Directory Security Logs (Event ID 4625 for failed logins, 4624 for successful logins). - VPN Gateway authentication logs (Radius/LDAP server logs). - Endpoint Detection and Response (EDR) logs from the compromised user's workstation. ## 3. Risk Judgment Criteria **Indicators of True Positive:** - High volume of failed logins (e.g., >20) from the same external IP address within a 5-minute window, followed by a successful login. - The successful login originates from an IP address or geolocation the user does not typically work from. - Impossible travel indicated (e.g., a login from Seoul followed by a login from London 10 minutes later). **Indicators of False Positive:** - The user forgot their password, attempted multiple times, and finally remembered it (originating from their known home IP address). - A misconfigured automated service account or mobile device repeatedly failing authentication due to an expired cached password. ## 4. Situational Response Actions **Immediate Containment:** 1. Isolate the compromised user account by immediately disabling it in Active Directory or forcing a password reset. 2. Terminate the active VPN session associated with the suspicious IP address on the VPN Gateway. 3. Block the originating malicious external IP address at the perimeter firewall. **Eradication & Recovery:** 1. Review all network and application access logs for the compromised user account post-authentication to identify any unauthorized data access or lateral movement. 2. Require the user to configure multi-factor authentication (MFA) upon account reactivation.
♊️ Gemini

Siemsoar Ir Playbook Architect

@bbkeys
$4.99
HelpWhat do I get when I buy a prompt?
Add to Cart
Instant accessInstant access
Usage rightsCommercial use
Money-back guaranteeMoney‑back
By purchasing this prompt, you agree to our terms of service
GEMINI-3.1-PRO
Tested icon
Guide icon
4 examples icon
Free credits icon
Streamline your Security Operations Center (SOC). This expert prompt generates comprehensive, enterprise-grade Incident Response (IR) playbooks tailored for SIEM and SOAR environments. Simply input a threat scenario, and it will output a highly structured, step-by-step guide covering initial log collection, rigorous risk judgment criteria, and precise situational response actions. Perfect for Security Engineers and DevOps teams standardizing their workflows.
...more
Added 1 week ago
Report
Browse Marketplace