It looks like you've blocked the webshell attacker's IP in this video, correct? But, if they just use a different IP, they can get right back in again, can't they? How do you actually remove the webshell and keep them from coming back, and can you identify how they got in to begin with so you can close up any holes? I've been looking all over the web for a solution to our problem but haven't found much useful information. :(
Thanks for your interest in using Azure Sentinel to investigate web shell attacks. Web shell attacks can be complex and each unfolding incident is different. If you need bespoke support investigating an incident, you will need to contact your Incident Response Partner in accordance with your organization's Incident Response Process. We have a blog that accompanied this demo. You may find more information to help there as it covers some ways to find the attacker. techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel-and-microsoft/ba-p/1448065
This is a great video and has made me a little excited to use this program in the future. Thank you
It looks like you've blocked the webshell attacker's IP in this video, correct? But, if they just use a different IP, they can get right back in again, can't they? How do you actually remove the webshell and keep them from coming back, and can you identify how they got in to begin with so you can close up any holes? I've been looking all over the web for a solution to our problem but haven't found much useful information. :(
Thanks for your interest in using Azure Sentinel to investigate web shell attacks. Web shell attacks can be complex and each unfolding incident is different. If you need bespoke support investigating an incident, you will need to contact your Incident Response Partner in accordance with your organization's Incident Response Process. We have a blog that accompanied this demo. You may find more information to help there as it covers some ways to find the attacker. techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel-and-microsoft/ba-p/1448065