Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Excessive Login Attempts (Microsoft Defender for IoT)" #19

Open
ryan-aus opened this issue Mar 29, 2023 · 1 comment
Open

"Excessive Login Attempts (Microsoft Defender for IoT)" #19

ryan-aus opened this issue Mar 29, 2023 · 1 comment
Assignees
@ryan-aus

Comments

@ryan-aus
Copy link
Contributor

ryan-aus commented Mar 29, 2023
edited
Loading

Related to #20

Unsure how to handle Defender for IoT incidents.

Rule appears to be triggered be creation of multiple other login related incidents/alerts

KQL from https://github.com/Azure/Azure-Sentinel/blob/735a9d926d0feb726ecea6fdcbbab09b43fdbb8f/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic%20Rules/IoTExcessiveLoginAttempts.yaml#L8

SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName in ("Excessive Login Attempts","Excessive SMB login attempts","Password Guessing Attempt Detected","Excessive Number of Sessions") 
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques
@ryan-aus ryan-aus self-assigned this Mar 29, 2023
@ryan-aus ryan-aus mentioned this issue Mar 29, 2023
Open
@DGOV-Bryce
Copy link
Contributor

These are hard without some actual logs to base things off of, but we could be generic from the point of looking at the entities it's pulling out (should this incident occur). As such, we could frame it from check the IPs (as per norm), the remediation steps, whether the protocol should be in use with the device, etc.

Remediation would potentially involve blocking the IP(s), adding firewall exclusions, etc.

Alternatively we could put those that we can't yet have confidence in the automation rule into a TBC group?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ryan-aus ryan-aus

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ryan-aus @DGOV-Bryce