Forge
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

cloudflare/Azure-Sentinel

Public

mirrored fromhttps://github.com/cloudflare/Azure-Sentinel

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
master

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

Azure-Sentinel/Detections/ASimNetworkSession

Detections/ASimNetworkSession/ExcessiveHTTPFailuresFromSource.yaml

64lines · modepreview

RawDownload
Latest commit unavailable.
unknown
id: 4902eddb-34f7-44a8-ac94-8486366e9494
name: Excessive number of failed connections from a single source (ASIM Network Session schema)
description: |
  'This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.<br><br>
  This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'
severity: Medium
tags:
  - ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SophosXGFirewall/ExcessiveAmountofDeniedConnectionsfromASingleSource.yaml
    version: 1.0.0
  - Schema: ASimNetworkSessions
    SchemaVersion: 0.2.1
requiredDataConnectors:
  - connectorId: AWSS3
    datatypes:
      - AWSVPCFlow
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - DeviceNetworkEvents
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsForwardedEvents
    dataTypes:
      - WindowsEvent
  - connectorId: Zscaler
    dataTypes:
      - CommonSecurityLog
  - connectorId: MicrosoftSysmonForLinux
    dataTypes:
      - Syslog
  - connectorId: PaloAltoNetworks
    dataTypes:
      - CommonSecurityLog
  - connectorId: AzureMonitor(VMInsights)
    dataTypes:
      - VMConnection

queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Impact
relevantTechniques:
  - T1499
query: |
  let threshold = 5000;
  _Im_NetworkSession(eventresult='Failure')
  | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)
  | where Count > threshold
  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
customDetails:
  NumberOfDenies: Count

alertDetailsOverride:
  alertDisplayNameFormat: Excessive number of failed connections from {{SrcIpAddr}}
  alertDescriptionFormat: 'The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.'
version: 1.2.0
kind: Scheduled