in security_hub_correlation_cdk/lambdas/create_sh_finding/create_sh_finding.py [0:0]
def check_rdp_brute_force(sh_resource, ddbtable):
rdp_brute_force = 'TTPs/Initial Access/UnauthorizedAccess:EC2-RDPBruteForce'
try:
rdp_brute_force_payload = ddbtable.query(
IndexName= DYNAMODB_GSI_TYPE,
KeyConditionExpression=Key('ResourceId').eq(sh_resource) & Key('Types').eq(rdp_brute_force)
)
if rdp_brute_force_payload ['Count'] >= 1:
logger.info('Found GuardDuty RDP Brute force for {}.'.format(sh_resource))
return rdp_brute_force_payload
except ClientError as error_handle:
logger.error(error_handle.dynamodb_match['Error']['Code'])