Several deny actions registered
| Id | f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e |
| Rulename | Several deny actions registered |
| Description | Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall. |
| Severity | Medium |
| Tactics | Discovery LateralMovement CommandAndControl |
| Techniques | T1046 T1071 T1210 |
| Required data connectors | AzureFirewall |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 1 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/SeveralDenyActionsRegistered.yaml |
| Version | 1.1.1 |
| Arm template | f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e.json |
let threshold = 1;
union isfuzzy=true(
AZFWApplicationRule
| where Action == "Deny"
| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol
| where count_ >= ["threshold"]),
(AZFWNetworkRule
| where Action == "Deny"
| extend Fqdn = DestinationIp
| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol
| where count_ >= ["threshold"]),
(AZFWFlowTrace
| where Action == "Deny"
| extend Fqdn = DestinationIp
| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol
| where count_ >= ["threshold"]),
(AZFWIdpsSignature
| where Action == "Deny"
| extend Fqdn = DestinationIp
| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol
| where count_ >= ["threshold"]),
(AzureDiagnostics
| where OperationName in ("AzureFirewallApplicationRuleLog","AzureFirewallNetworkRuleLog")
| extend msg_s_replaced0 = replace(@"\s\s",@" ",msg_s)
| extend msg_s_replaced1 = replace(@"\.\s",@" ",msg_s_replaced0)
| extend msg_a = split(msg_s_replaced1," ")
| extend srcAddr_a = split(msg_a[3],":") , destAddr_a = split(msg_a[5],":")
| extend Protocol = tostring(msg_a[0]), SourceIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), DestinationIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), Action = tostring(msg_a[7])
| where Action == "Deny"
| extend Fqdn = iff(DestinationIp matches regex "\\d+\\.\\d+\\.\\d+\\.\\d+","",DestinationIp)
| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol
| where count_ >= ["threshold"])
triggerOperator: gt
queryFrequency: 1h
description: |
'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.'
status: Available
kind: Scheduled
triggerThreshold: 1
requiredDataConnectors:
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- AZFWApplicationRule
- AZFWNetworkRule
- AZFWFlowTrace
- AZFWIdpsSignature
version: 1.1.1
queryPeriod: 1h
name: Several deny actions registered
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/SeveralDenyActionsRegistered.yaml
id: f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e
tactics:
- Discovery
- LateralMovement
- CommandAndControl
relevantTechniques:
- T1046
- T1071
- T1210
severity: Medium
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SourceIp
entityType: IP
- fieldMappings:
- identifier: Url
columnName: Fqdn
entityType: URL
query: |
let threshold = 1;
union isfuzzy=true(
AZFWApplicationRule
| where Action == "Deny"
| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol
| where count_ >= ["threshold"]),
(AZFWNetworkRule
| where Action == "Deny"
| extend Fqdn = DestinationIp
| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol
| where count_ >= ["threshold"]),
(AZFWFlowTrace
| where Action == "Deny"
| extend Fqdn = DestinationIp
| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol
| where count_ >= ["threshold"]),
(AZFWIdpsSignature
| where Action == "Deny"
| extend Fqdn = DestinationIp
| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol
| where count_ >= ["threshold"]),
(AzureDiagnostics
| where OperationName in ("AzureFirewallApplicationRuleLog","AzureFirewallNetworkRuleLog")
| extend msg_s_replaced0 = replace(@"\s\s",@" ",msg_s)
| extend msg_s_replaced1 = replace(@"\.\s",@" ",msg_s_replaced0)
| extend msg_a = split(msg_s_replaced1," ")
| extend srcAddr_a = split(msg_a[3],":") , destAddr_a = split(msg_a[5],":")
| extend Protocol = tostring(msg_a[0]), SourceIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), DestinationIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), Action = tostring(msg_a[7])
| where Action == "Deny"
| extend Fqdn = iff(DestinationIp matches regex "\\d+\\.\\d+\\.\\d+\\.\\d+","",DestinationIp)
| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol
| where count_ >= ["threshold"])
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e')]",
"properties": {
"alertRuleTemplateName": "f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e",
"customDetails": null,
"description": "'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.'\n",
"displayName": "Several deny actions registered",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIp",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "Fqdn",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/SeveralDenyActionsRegistered.yaml",
"query": "let threshold = 1;\nunion isfuzzy=true(\nAZFWApplicationRule\n| where Action == \"Deny\"\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\n| where count_ >= [\"threshold\"]),\n(AZFWNetworkRule\n| where Action == \"Deny\"\n| extend Fqdn = DestinationIp\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\n| where count_ >= [\"threshold\"]),\n(AZFWFlowTrace\n| where Action == \"Deny\"\n| extend Fqdn = DestinationIp\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\n| where count_ >= [\"threshold\"]),\n(AZFWIdpsSignature\n| where Action == \"Deny\"\n| extend Fqdn = DestinationIp\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\n| where count_ >= [\"threshold\"]),\n(AzureDiagnostics\n| where OperationName in (\"AzureFirewallApplicationRuleLog\",\"AzureFirewallNetworkRuleLog\")\n| extend msg_s_replaced0 = replace(@\"\\s\\s\",@\" \",msg_s)\n| extend msg_s_replaced1 = replace(@\"\\.\\s\",@\" \",msg_s_replaced0)\n| extend msg_a = split(msg_s_replaced1,\" \")\n| extend srcAddr_a = split(msg_a[3],\":\") , destAddr_a = split(msg_a[5],\":\")\n| extend Protocol = tostring(msg_a[0]), SourceIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), DestinationIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), Action = tostring(msg_a[7])\n| where Action == \"Deny\"\n| extend Fqdn = iff(DestinationIp matches regex \"\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+\",\"\",DestinationIp)\n| summarize StartTime = min(TimeGenerated), count() by SourceIp, Fqdn, Action, Protocol\n| where count_ >= [\"threshold\"])\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"Discovery",
"LateralMovement"
],
"techniques": [
"T1046",
"T1071",
"T1210"
],
"templateVersion": "1.1.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 1
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}