Merge pull request #1022 from Azure/PulseConnectSecure_BugBash

Pulse Connect Secure VPN Bugbash Changes
2020-09-17 19:03:25 -07:00 · 2020-09-17 19:03:25 -07:00 · 6a46db221f
--- a/Detections/PulseConnectSecure/PulseConnectSecureVPN-BruteForce.yaml
+++ b/Detections/PulseConnectSecure/PulseConnectSecureVPN-BruteForce.yaml
@ -1,27 +1,27 @@
-id: 34663177-8abf-4db1-b0a4-5683ab273f44
-name: Multiple Failed VPN User Logins
-description: |
-  'Creates an incident in the event of multiple unsuccessful attempts to log into the VPN server, which could indicate a potential brute force attack.'
-severity: Low
-requiredDataConnectors:
-  - connectorId: PulseConnectSecure
-    dataTypes: 
-      - Syslog
-queryFrequency: 1h
-queryPeriod: 1h
-triggerOperator: gt
-triggerThreshold: 0
-tactics:
-  - CredentialAccess 
-relevantTechniques:
-  - T1110
-query: |
-
-  let timeframe = ago(1h);
-  let threshold = 20;
-  PulseConnectSecure
-  | where TimeGenerated >= timeframe
-  | where Messages contains "Login failed"
-  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
-  | where count_ > threshold
-  | extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP
+id: 34663177-8abf-4db1-b0a4-5683ab273f44
+name: PulseConnectSecure - Potential Brute Force Attempts
+description: |
+  'This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server'
+severity: Low
+requiredDataConnectors:
+  - connectorId: PulseConnectSecure
+    dataTypes: 
+      - Syslog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CredentialAccess 
+relevantTechniques:
+  - T1110
+query: |
+
+  let timeframe = ago(1h);
+  let threshold = 20;
+  PulseConnectSecure
+  | where TimeGenerated >= timeframe
+  | where Messages contains "Login failed"
+  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
+  | where count_ > threshold
+  | extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP
--- a/Detections/PulseConnectSecure/PulseConnectSecureVPN-DistinctFailedUserLogin.yaml
+++ b/Detections/PulseConnectSecure/PulseConnectSecureVPN-DistinctFailedUserLogin.yaml
@ -1,7 +1,7 @@
 id: 1fa1528e-f746-4794-8a41-14827f4cb798
-name: Large Number of Distinct Failed User Logins
+name: PulseConnectSecure - Large Number of Distinct Failed User Logins
 description: |
-  'This creates an incident in the event a Pulse Secure VPN server experiences failed login attempts from a large number of distinct users.'
+  'This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server'
 severity: Medium
 requiredDataConnectors:
  - connectorId: PulseConnectSecure
@ -13,11 +13,8 @@ triggerOperator: gt
 triggerThreshold: 0
 tactics:
  - CredentialAccess
-  - Discovery 
 relevantTechniques:
-  - T1110
-  - T1201 
-  
+  - T1110  
 query: |

  let timeframe = ago(1h);