Pulse Connect Secure VPN Bugbash Changes
This commit is contained in:
Родитель
00ee8cf5f0
Коммит
63b106bf18
|
@ -1,27 +1,27 @@
|
|||
id: 34663177-8abf-4db1-b0a4-5683ab273f44
|
||||
name: Multiple Failed VPN User Logins
|
||||
description: |
|
||||
'Creates an incident in the event of multiple unsuccessful attempts to log into the VPN server, which could indicate a potential brute force attack.'
|
||||
severity: Low
|
||||
requiredDataConnectors:
|
||||
- connectorId: PulseConnectSecure
|
||||
dataTypes:
|
||||
- Syslog
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- CredentialAccess
|
||||
relevantTechniques:
|
||||
- T1110
|
||||
query: |
|
||||
|
||||
let timeframe = ago(1h);
|
||||
let threshold = 20;
|
||||
PulseConnectSecure
|
||||
| where TimeGenerated >= timeframe
|
||||
| where Messages contains "Login failed"
|
||||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
|
||||
| where count_ > threshold
|
||||
| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP
|
||||
id: 34663177-8abf-4db1-b0a4-5683ab273f44
|
||||
name: Potential Brute Force Attempts
|
||||
description: |
|
||||
'This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server'
|
||||
severity: Low
|
||||
requiredDataConnectors:
|
||||
- connectorId: PulseConnectSecure
|
||||
dataTypes:
|
||||
- Syslog
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- CredentialAccess
|
||||
relevantTechniques:
|
||||
- T1110
|
||||
query: |
|
||||
|
||||
let timeframe = ago(1h);
|
||||
let threshold = 20;
|
||||
PulseConnectSecure
|
||||
| where TimeGenerated >= timeframe
|
||||
| where Messages contains "Login failed"
|
||||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
|
||||
| where count_ > threshold
|
||||
| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP
|
|
@ -1,7 +1,8 @@
|
|||
id: 1fa1528e-f746-4794-8a41-14827f4cb798
|
||||
name: Large Number of Distinct Failed User Logins
|
||||
name: Potential Password Spray Attempts
|
||||
description: |
|
||||
'This creates an incident in the event a Pulse Secure VPN server experiences failed login attempts from a large number of distinct users.'
|
||||
'This query identifies evidence of potential password spray activity against the Pulse Secure VPN server,
|
||||
by looking for failures from multiple accounts, originating from the same host within a time window'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: PulseConnectSecure
|
||||
|
@ -13,11 +14,8 @@ triggerOperator: gt
|
|||
triggerThreshold: 0
|
||||
tactics:
|
||||
- CredentialAccess
|
||||
- Discovery
|
||||
relevantTechniques:
|
||||
- T1110
|
||||
- T1201
|
||||
|
||||
relevantTechniques:
|
||||
- T1110
|
||||
query: |
|
||||
|
||||
let timeframe = ago(1h);
|
||||
|
@ -27,4 +25,4 @@ query: |
|
|||
| where Messages startswith "Login failed"
|
||||
| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)
|
||||
| where dcount_User > threshold
|
||||
| extend timestamp = TimeGenerated, HostCustomEntity = Computer
|
||||
| extend timestamp = TimeGenerated, HostCustomEntity = Computer
|
Загрузка…
Ссылка в новой задаче