brute force failed logins

socfortress · Mar 7, 2024 · 6163bc8 · 6163bc8
1 parent c760dfb
commit 6163bc8
Show file tree

Hide file tree

Showing 3 changed files with 597 additions and 0 deletions.
diff --git a/backend/app/integrations/sap_siem/routes/sap_siem.py b/backend/app/integrations/sap_siem/routes/sap_siem.py
@@ -17,6 +17,7 @@
 from app.integrations.sap_siem.services.sap_siem_failed_same_user_from_different_ip import sap_siem_failed_same_user_diff_ip
 from app.integrations.sap_siem.services.sap_siem_failed_same_user_different_geo_location import sap_siem_failed_same_user_diff_geo
 from app.integrations.sap_siem.services.sap_siem_successful_same_user_different_geo_location import sap_siem_successful_same_user_diff_geo
+from app.integrations.sap_siem.services.sap_siem_brute_forced_failed_logins import sap_siem_brute_force_failed
 
 integration_sap_siem_router = APIRouter()
 
@@ -167,3 +168,22 @@ async def invoke_sap_siem_same_user_successful_login_from_different_geo_location
     await sap_siem_successful_same_user_diff_geo(threshold=threshold, time_range=time_range, session=session)
 
     return InvokeSAPSiemResponse(success=True, message="SAP SIEM Events collected successfully.")
+
+@integration_sap_siem_router.post(
+    "/brute_force_failed_logins",
+    response_model=InvokeSAPSiemResponse,
+    description="Rule: Logins from different IP addresses\n\n"
+                "Period: within 3 minutes\n\n"
+                "Prerequisite: \n\n"
+                "- At least 25 failed login attempts from different IP addresses\n\n"
+                "Result: IP addresses belong to an attack network",
+)
+async def invoke_sap_siem_brute_force_failed_logins_route(
+    threshold: Optional[int] = 0,
+    time_range: Optional[int] = 3,
+    session: AsyncSession = Depends(get_db),
+):
+    logger.info("Invoking SAP SIEM integration for brute force failed logins.")
+    await sap_siem_brute_force_failed(threshold=threshold, time_range=time_range, session=session)
+
+    return InvokeSAPSiemResponse(success=True, message="SAP SIEM Events collected successfully.")
diff --git a/backend/app/integrations/sap_siem/schema/sap_siem.py b/backend/app/integrations/sap_siem/schema/sap_siem.py
@@ -220,6 +220,10 @@ class Result(BaseModel):
         "False",
         description="Whether the event has been analyzed for same user successful login from different geo",
     )
+    event_analyzed_brute_force_ip: Optional[str] = Field(
+        "False",
+        description="Whether the event has been analyzed for brute force IP",
+    )