Open ryan-aus opened 1 year ago
These are hard without some actual logs to base things off of, but we could be generic from the point of looking at the entities it's pulling out (should this incident occur). As such, we could frame it from check the IP (as per norm), the remediation steps, whether the protocol should be in use with the device, etc.
Remediation would potentially involve blocking the IP(s), adding firewall exclusions, etc.
Alternatively, we could put those that we can't yet have confidence in the automation rule into a TBC group?
My preference is to also leave them aside for now. I would rather give no advice than potentially incorrect advice and giving clients a false sense of confidence.
Related to #19
Unsure how to correctly remediate Defender for IoT incidents
KQL from https://github.com/Azure/Azure-Sentinel/blob/735a9d926d0feb726ecea6fdcbbab09b43fdbb8f/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic%20Rules/IoTDenialofService.yaml#L10