Excessive Amount of Denied Connections from a Single Source

Back


Id	3d645a88-2724-41a7-adea-db74c439cf79
Rulename	Excessive Amount of Denied Connections from a Single Source
Description	This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.
Severity	Medium
Tactics	Impact
Techniques	T1499
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Sophos XG Firewall/Analytic Rules/ExcessiveAmountofDeniedConnectionsfromASingleSource.yaml
Version	1.0.4
Arm template	3d645a88-2724-41a7-adea-db74c439cf79.json

KQL

let threshold = 5000;
SophosXGFirewall
| where Log_Type =~ "Firewall" and Status =~ "Deny"
| summarize count() by Src_IP, bin(TimeGenerated,5m)
| where count_ > threshold

YAML

relevantTechniques:
- T1499
queryPeriod: 1h
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
kind: Scheduled
triggerThreshold: 0
version: 1.0.4
id: 3d645a88-2724-41a7-adea-db74c439cf79
severity: Medium
name: Excessive Amount of Denied Connections from a Single Source
status: Available
triggerOperator: gt
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: Src_IP
queryFrequency: 1h
query: |
  let threshold = 5000;
  SophosXGFirewall
  | where Log_Type =~ "Firewall" and Status =~ "Deny"
  | summarize count() by Src_IP, bin(TimeGenerated,5m)
  | where count_ > threshold  
description: |
    'This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.'
tactics:
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Sophos XG Firewall/Analytic Rules/ExcessiveAmountofDeniedConnectionsfromASingleSource.yaml

ARM