search

wagov / WASOCAutomationPlaybook

For testing playbooks
1 stars 2 forks source link

"Excessive Login Attempts (Microsoft Defender for IoT)" #19

Open ryan-aus opened 1 year ago

ryan-aus commented 1 year ago

Related to #20

Unsure how to handle Defender for IoT incidents.

Rule appears to be triggered be creation of multiple other login related incidents/alerts

KQL from https://github.com/Azure/Azure-Sentinel/blob/735a9d926d0feb726ecea6fdcbbab09b43fdbb8f/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic%20Rules/IoTExcessiveLoginAttempts.yaml#L8

SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName in ("Excessive Login Attempts","Excessive SMB login attempts","Password Guessing Attempt Detected","Excessive Number of Sessions") 
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques
DGOV-Bryce commented 1 year ago

These are hard without some actual logs to base things off of, but we could be generic from the point of looking at the entities it's pulling out (should this incident occur). As such, we could frame it from check the IPs (as per norm), the remediation steps, whether the protocol should be in use with the device, etc.

Remediation would potentially involve blocking the IP(s), adding firewall exclusions, etc.

Alternatively we could put those that we can't yet have confidence in the automation rule into a TBC group?