Pulse Connect Secure VPN Bugbash Changes

Detections/PulseConnectSecure/PulseConnectSecureVPN-BruteForce.yaml

@@ -1,27 +1,27 @@
-id: 34663177-8abf-4db1-b0a4-5683ab273f44
-name: Multiple Failed VPN User Logins
-description: |
-  'Creates an incident in the event of multiple unsuccessful attempts to log into the VPN server, which could indicate a potential brute force attack.'
-severity: Low
-requiredDataConnectors:
-  - connectorId: PulseConnectSecure
-    dataTypes: 
-      - Syslog
-queryFrequency: 1h
-queryPeriod: 1h
-triggerOperator: gt
-triggerThreshold: 0
-tactics:
-  - CredentialAccess 
-relevantTechniques:
-  - T1110
-query: |
-
-  let timeframe = ago(1h);
-  let threshold = 20;
-  PulseConnectSecure
-  | where TimeGenerated >= timeframe
-  | where Messages contains "Login failed"
-  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
-  | where count_ > threshold
-  | extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP
+id: 34663177-8abf-4db1-b0a4-5683ab273f44
+name: Potential Brute Force Attempts
+description: |
+  'This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server'
+severity: Low
+requiredDataConnectors:
+  - connectorId: PulseConnectSecure
+    dataTypes: 
+      - Syslog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CredentialAccess 
+relevantTechniques:
+  - T1110
+query: |
+
+  let timeframe = ago(1h);
+  let threshold = 20;
+  PulseConnectSecure
+  | where TimeGenerated >= timeframe
+  | where Messages contains "Login failed"
+  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
+  | where count_ > threshold
+  | extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP

Detections/PulseConnectSecure/PulseConnectSecureVPN-PasswordSpray.yaml

@@ -1,7 +1,8 @@
 id: 1fa1528e-f746-4794-8a41-14827f4cb798
-name: Large Number of Distinct Failed User Logins
+name: Potential Password Spray Attempts
 description: |
-  'This creates an incident in the event a Pulse Secure VPN server experiences failed login attempts from a large number of distinct users.'
+  'This query identifies evidence of potential password spray activity against the Pulse Secure VPN server, 
+   by looking for failures from multiple accounts, originating from the same host within a time window'
 severity: Medium
 requiredDataConnectors:
   - connectorId: PulseConnectSecure
@@ -13,11 +14,8 @@ triggerOperator: gt
 triggerThreshold: 0
 tactics:
   - CredentialAccess
-  - Discovery 
-relevantTechniques:
-  - T1110
-  - T1201 
-  
+  relevantTechniques:
+  - T1110  
 query: |
 
   let timeframe = ago(1h);
@@ -27,4 +25,4 @@ query: |
   | where Messages startswith "Login failed"
   | summarize dcount(User) by Computer, bin(TimeGenerated, 15m)
   | where dcount_User > threshold
-  | extend timestamp = TimeGenerated, HostCustomEntity = Computer
+  | extend timestamp = TimeGenerated, HostCustomEntity = Computer