Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Remote Desktop Network Brute force ASIM Network Session schema

Remote Desktop Network Brute force ASIM Network Session schema

Back
Idb7dc801e-1e79-48bb-91e8-2229a8e6d40b
RulenameRemote Desktop Network Brute force (ASIM Network Session schema)
DescriptionThis detection identifies RDP application network traffic and filters any source/destination pair generating more than 25 events hard threshold.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/Remote Desktop Network Brute force (ASIM Network Session schema).yaml
Version1.0.0
Arm templateb7dc801e-1e79-48bb-91e8-2229a8e6d40b.json
Deploy To Azure
// Start of the query and  Filter events that resulted in failure
_Im_NetworkSession(eventresult="Failure")
// Filter out private source IP addresses and focus on specific destination port (3389)
// Also, ensure that the source and destination IP addresses are not the same
| where not(ipv4_is_private(SrcIpAddr)) and tostring(DstPortNumber) has_any ("3389") and SrcIpAddr != DstIpAddr
// Summarize the data by source and destination IP addresses, destination port number, network protocol, and event result
// Also, bin the time generated in 5-minute intervals
// Calculate the minimum and maximum time generated, the sum of event counts, and a set of up to 10 event vendors
| summarize Starttime= min(TimeGenerated),EndTime= max(TimeGenerated),TargettedIPs=dcount(DstIpAddr),Eventscount=sum(EventCount),EventVendors=make_set(EventVendor,10) by SrcIpAddr,DstPortNumber,EventResult, bin(TimeGenerated, 5m)
// Filter the summarized data to include only those with an event count of 25 or more
| where Eventscount >= 25

description: |
    'This detection identifies RDP application network traffic and filters any source/destination pair generating more than 25 events hard threshold.'
query: |
  // Start of the query and  Filter events that resulted in failure
  _Im_NetworkSession(eventresult="Failure")
  // Filter out private source IP addresses and focus on specific destination port (3389)
  // Also, ensure that the source and destination IP addresses are not the same
  | where not(ipv4_is_private(SrcIpAddr)) and tostring(DstPortNumber) has_any ("3389") and SrcIpAddr != DstIpAddr
  // Summarize the data by source and destination IP addresses, destination port number, network protocol, and event result
  // Also, bin the time generated in 5-minute intervals
  // Calculate the minimum and maximum time generated, the sum of event counts, and a set of up to 10 event vendors
  | summarize Starttime= min(TimeGenerated),EndTime= max(TimeGenerated),TargettedIPs=dcount(DstIpAddr),Eventscount=sum(EventCount),EventVendors=make_set(EventVendor,10) by SrcIpAddr,DstPortNumber,EventResult, bin(TimeGenerated, 5m)
  // Filter the summarized data to include only those with an event count of 25 or more
  | where Eventscount >= 25  
requiredDataConnectors: []
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
tags:
- Schema: ASimNetworkSessions
  SchemaVersion: 0.2.4
status: Available
triggerThreshold: 0
tactics:
- CredentialAccess
queryPeriod: 1h
triggerOperator: gt
id: b7dc801e-1e79-48bb-91e8-2229a8e6d40b
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1110
severity: Medium
name: Remote Desktop Network Brute force (ASIM Network Session schema)
kind: Scheduled
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/Remote Desktop Network Brute force (ASIM Network Session schema).yaml
version: 1.0.0