same login failures multiple diff ips

backend/app/integrations/sap_siem/routes/sap_siem.py

@@ -2,6 +2,7 @@
 from fastapi import Depends
 from loguru import logger
 from sqlalchemy.ext.asyncio import AsyncSession
+from typing import Optional
 
 from app.db.db_session import get_db
 from app.integrations.routes import find_customer_integration
@@ -12,6 +13,8 @@
 from app.integrations.sap_siem.services.collect import collect_sap_siem
 from app.integrations.utils.utils import extract_auth_keys
 from app.integrations.utils.utils import get_customer_integration_response
+from app.integrations.sap_siem.services.sap_siem_successful_user_login_after_using_different_ip import sap_siem_successful_user_login_with_different_ip
+from app.integrations.sap_siem.services.sap_siem_failed_same_user_from_different_ip import sap_siem_failed_same_user_diff_ip
 
 integration_sap_siem_router = APIRouter()
 
@@ -69,3 +72,43 @@ async def collect_sap_siem_route(sap_siem_request: InvokeSapSiemRequest, session
         await collect_sap_siem(sap_siem_request=collect_sap_siem_request)
 
     return InvokeSAPSiemResponse(success=True, message="SAP SIEM Events collected successfully.")
+
+
+@integration_sap_siem_router.post(
+    "/successful_user_login_with_different_ip",
+    response_model=InvokeSAPSiemResponse,
+    description="Rule: Successful user login after using different IP addresses\n\n"
+                "Period: within 15 minutes\n\n"
+                "Prerequisite: \n\n"
+                "- Login attempts from different IP addresses, regardless of login status (at least 2 failed IP addresses)\n\n"
+                "- Successful login afterwards (from the third successful IP address)\n\n"
+                "Result: User compressed, IP addresses belong to an attack network",
+)
+async def invoke_sap_siem_successful_user_login_with_different_ip_route(
+    threshold: Optional[int] = 0,
+    time_range: Optional[int] = 15,
+    session: AsyncSession = Depends(get_db),
+):
+    logger.info("Invoking SAP SIEM integration for successful user login with different IP.")
+    await sap_siem_successful_user_login_with_different_ip(threshold=threshold, time_range=time_range, session=session)
+
+    return InvokeSAPSiemResponse(success=True, message="SAP SIEM Events collected successfully.")
+
+@integration_sap_siem_router.post(
+    "/same_user_failed_login_from_different_ip",
+    response_model=InvokeSAPSiemResponse,
+    description="Rule: Same user from different IP addresses\n\n"
+                "Period: within 10 minutes\n\n"
+                "Prerequisite: \n\n"
+                "- At least 3 failed login attempts with the same user name from 3 different IP addresses\n\n"
+                "Result: User compressed, IP addresses belong to an attack network",
+)
+async def invoke_sap_siem_same_user_failed_login_from_different_ip_route(
+    threshold: Optional[int] = 0,
+    time_range: Optional[int] = 10,
+    session: AsyncSession = Depends(get_db),
+):
+    logger.info("Invoking SAP SIEM integration for same user failed login from different IP.")
+    await sap_siem_failed_same_user_diff_ip(threshold=threshold, time_range=time_range, session=session)
+
+    return InvokeSAPSiemResponse(success=True, message="SAP SIEM Events collected successfully.")

backend/app/integrations/sap_siem/schema/sap_siem.py

@@ -204,6 +204,15 @@ class Result(BaseModel):
         "False",
         description="Whether the event has been analyzed for multiple logins",
     )
+    event_analyzed_success_login_diff_ip: Optional[str] = Field(
+        "False",
+        description="Whether the event has been analyzed for successful login from different IP",
+    )
+    event_analyzed_same_user_failed_diff_ip: Optional[str] = Field(
+        "False",
+        description="Whether the event has been analyzed for same user failed login from different IP",
+    )
+
 
 
 class SapSiemResponseBody(BaseModel):