SonicWall - Allowed SSH Telnet and RDP Connections
| Id | 27f1a570-5f20-496b-88f6-a9aa2c5c9534 |
| Rulename | SonicWall - Allowed SSH, Telnet, and RDP Connections |
| Description | This rule identifies allowed inbound SSH, Telnet, and RDP connections. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewall). |
| Severity | Medium |
| Tactics | InitialAccess Execution Persistence CredentialAccess Discovery LateralMovement Collection Exfiltration Impact |
| Techniques | T1190 T1133 T1059 T1133 T1110 T1003 T1087 T1018 T1021 T1005 T1048 T1041 T1011 T1567 T1490 |
| Required data connectors | CEF SonicWallFirewall |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall Firewall/Analytic Rules/AllowedInboundSSHTelnetRDPConnections.yaml |
| Version | 1.0.0 |
| Arm template | 27f1a570-5f20-496b-88f6-a9aa2c5c9534.json |
ASimNetworkSessionSonicWallFirewall(false)
| where NetworkDirection == "Inbound" and EventResult in ("NA", "Success")
| where EventOriginalType != 1370
| where SrcAppName contains "Windows Remote Desktop Services"
or SrcAppName contains "Telnet"
or (SrcAppName contains "SSH Protocol" and ThreatId != 446) // Filters out SSH server responses.
or SrcAppName contains "Bitvise SSH"
or DstPortNumber in (22, 23, 3389)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall Firewall/Analytic Rules/AllowedInboundSSHTelnetRDPConnections.yaml
query: |
ASimNetworkSessionSonicWallFirewall(false)
| where NetworkDirection == "Inbound" and EventResult in ("NA", "Success")
| where EventOriginalType != 1370
| where SrcAppName contains "Windows Remote Desktop Services"
or SrcAppName contains "Telnet"
or (SrcAppName contains "SSH Protocol" and ThreatId != 446) // Filters out SSH server responses.
or SrcAppName contains "Bitvise SSH"
or DstPortNumber in (22, 23, 3389)
tactics:
- InitialAccess
- Execution
- Persistence
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- Exfiltration
- Impact
relevantTechniques:
- T1190
- T1133
- T1059
- T1133
- T1110
- T1003
- T1087
- T1018
- T1021
- T1005
- T1048
- T1041
- T1011
- T1567
- T1490
triggerThreshold: 0
severity: Medium
id: 27f1a570-5f20-496b-88f6-a9aa2c5c9534
triggerOperator: gt
name: SonicWall - Allowed SSH, Telnet, and RDP Connections
queryPeriod: 1h
description: |
'This rule identifies allowed inbound SSH, Telnet, and RDP connections. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewall).'
version: 1.0.0
status: Experimental
kind: Scheduled
queryFrequency: 1h
entityMappings:
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
- fieldMappings:
- columnName: DstIpAddr
identifier: Address
entityType: IP
requiredDataConnectors:
- connectorId: CEF
dataTypes:
- CommonSecurityLog
- connectorId: SonicWallFirewall
dataTypes:
- ASimNetworkSessionSonicWallFirewall
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/27f1a570-5f20-496b-88f6-a9aa2c5c9534')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/27f1a570-5f20-496b-88f6-a9aa2c5c9534')]",
"properties": {
"alertRuleTemplateName": "27f1a570-5f20-496b-88f6-a9aa2c5c9534",
"customDetails": null,
"description": "'This rule identifies allowed inbound SSH, Telnet, and RDP connections. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser (ASimNetworkSessionSonicWallFirewall).'\n",
"displayName": "SonicWall - Allowed SSH, Telnet, and RDP Connections",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DstIpAddr",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall Firewall/Analytic Rules/AllowedInboundSSHTelnetRDPConnections.yaml",
"query": "ASimNetworkSessionSonicWallFirewall(false)\n| where NetworkDirection == \"Inbound\" and EventResult in (\"NA\", \"Success\")\n| where EventOriginalType != 1370\n| where SrcAppName contains \"Windows Remote Desktop Services\"\n or SrcAppName contains \"Telnet\"\n or (SrcAppName contains \"SSH Protocol\" and ThreatId != 446) // Filters out SSH server responses.\n or SrcAppName contains \"Bitvise SSH\"\n or DstPortNumber in (22, 23, 3389)\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Experimental",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection",
"CredentialAccess",
"Discovery",
"Execution",
"Exfiltration",
"Impact",
"InitialAccess",
"LateralMovement",
"Persistence"
],
"techniques": [
"T1003",
"T1005",
"T1011",
"T1018",
"T1021",
"T1041",
"T1048",
"T1059",
"T1087",
"T1110",
"T1133",
"T1190",
"T1490",
"T1567"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}