brute_force_failed_logins_same_ip

socfortress · Mar 7, 2024 · 761d3a5 · 761d3a5
1 parent 0c0a0a1
commit 761d3a5
Show file tree

Hide file tree

Showing 3 changed files with 598 additions and 0 deletions.
diff --git a/backend/app/integrations/sap_siem/routes/sap_siem.py b/backend/app/integrations/sap_siem/routes/sap_siem.py
@@ -18,6 +18,7 @@
 from app.integrations.sap_siem.services.sap_siem_failed_same_user_different_geo_location import sap_siem_failed_same_user_diff_geo
 from app.integrations.sap_siem.services.sap_siem_successful_same_user_different_geo_location import sap_siem_successful_same_user_diff_geo
 from app.integrations.sap_siem.services.sap_siem_brute_forced_failed_logins import sap_siem_brute_force_failed_multiple_ips
+from app.integrations.sap_siem.services.sap_siem_brute_force_same_ip import sap_siem_brute_force_failed_same_ip
 
 integration_sap_siem_router = APIRouter()
 
@@ -187,3 +188,23 @@ async def invoke_sap_siem_brute_force_failed_logins_route(
     await sap_siem_brute_force_failed_multiple_ips(threshold=threshold, time_range=time_range, session=session)
 
     return InvokeSAPSiemResponse(success=True, message="SAP SIEM Events collected successfully.")
+
+
+@integration_sap_siem_router.post(
+    "/brute_force_failed_logins_same_ip",
+    response_model=InvokeSAPSiemResponse,
+    description="Rule: Logins from the same IP address\n\n"
+                "Period: within 5 minutes\n\n"
+                "Prerequisite: \n\n"
+                "- At least 10 different user name failed login attempts from the same IP address\n\n"
+                "Result: IP addresses belong to an attack network",
+)
+async def invoke_sap_siem_brute_force_failed_logins_same_ip_route(
+    threshold: Optional[int] = 0,
+    time_range: Optional[int] = 5,
+    session: AsyncSession = Depends(get_db),
+):
+    logger.info("Invoking SAP SIEM integration for brute force failed logins from the same IP.")
+    await sap_siem_brute_force_failed_same_ip(threshold=threshold, time_range=time_range, session=session)
+
+    return InvokeSAPSiemResponse(success=True, message="SAP SIEM Events collected successfully.")
diff --git a/backend/app/integrations/sap_siem/schema/sap_siem.py b/backend/app/integrations/sap_siem/schema/sap_siem.py
@@ -224,6 +224,10 @@ class Result(BaseModel):
         "False",
         description="Whether the event has been analyzed for brute force IP",
     )
+    event_analyzed_brute_force_same_ip: Optional[str] = Field(
+        "False",
+        description="Whether the event has been analyzed for brute force same IP",
+    )