Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SonicWall - Allowed SSH Telnet and RDP Connections

SonicWall - Allowed SSH Telnet and RDP Connections

Back
Id27f1a570-5f20-496b-88f6-a9aa2c5c9534
RulenameSonicWall - Allowed SSH, Telnet, and RDP Connections
DescriptionThis rule identifies allowed inbound SSH, Telnet, and RDP connections. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewall).
SeverityMedium
TacticsInitialAccess
Execution
Persistence
CredentialAccess
Discovery
LateralMovement
Collection
Exfiltration
Impact
TechniquesT1190
T1133
T1059
T1133
T1110
T1003
T1087
T1018
T1021
T1005
T1048
T1041
T1011
T1567
T1490
Required data connectorsCEF
CefAma
SonicWallFirewall
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall Firewall/Analytic Rules/AllowedInboundSSHTelnetRDPConnections.yaml
Version1.0.1
Arm template27f1a570-5f20-496b-88f6-a9aa2c5c9534.json
Deploy To Azure
ASimNetworkSessionSonicWallFirewall(false)
| where NetworkDirection == "Inbound" and EventResult in ("NA", "Success")
| where EventOriginalType != 1370
| where SrcAppName contains "Windows Remote Desktop Services"
    or SrcAppName contains "Telnet"
    or (SrcAppName contains "SSH Protocol" and ThreatId != 446) // Filters out SSH server responses.
    or SrcAppName contains "Bitvise SSH"
    or DstPortNumber in (22, 23, 3389)

query: |
  ASimNetworkSessionSonicWallFirewall(false)
  | where NetworkDirection == "Inbound" and EventResult in ("NA", "Success")
  | where EventOriginalType != 1370
  | where SrcAppName contains "Windows Remote Desktop Services"
      or SrcAppName contains "Telnet"
      or (SrcAppName contains "SSH Protocol" and ThreatId != 446) // Filters out SSH server responses.
      or SrcAppName contains "Bitvise SSH"
      or DstPortNumber in (22, 23, 3389)  
version: 1.0.1
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall Firewall/Analytic Rules/AllowedInboundSSHTelnetRDPConnections.yaml
status: Experimental
description: |
    'This rule identifies allowed inbound SSH, Telnet, and RDP connections. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewall).'
queryFrequency: 1h
name: SonicWall - Allowed SSH, Telnet, and RDP Connections
kind: Scheduled
triggerThreshold: 0
id: 27f1a570-5f20-496b-88f6-a9aa2c5c9534
requiredDataConnectors:
- connectorId: CEF
  dataTypes:
  - CommonSecurityLog
- connectorId: SonicWallFirewall
  dataTypes:
  - ASimNetworkSessionSonicWallFirewall
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
severity: Medium
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: DstIpAddr
    identifier: Address
  entityType: IP
relevantTechniques:
- T1190
- T1133
- T1059
- T1133
- T1110
- T1003
- T1087
- T1018
- T1021
- T1005
- T1048
- T1041
- T1011
- T1567
- T1490
tactics:
- InitialAccess
- Execution
- Persistence
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- Exfiltration
- Impact