Excessive Amount of Denied Connections from a Single Source

Back


Id	3d645a88-2724-41a7-adea-db74c439cf79
Rulename	Excessive Amount of Denied Connections from a Single Source
Description	This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.
Severity	Medium
Tactics	Impact
Techniques	T1499
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Sophos XG Firewall/Analytic Rules/ExcessiveAmountofDeniedConnectionsfromASingleSource.yaml
Version	1.0.4
Arm template	3d645a88-2724-41a7-adea-db74c439cf79.json

KQL

let threshold = 5000;
SophosXGFirewall
| where Log_Type =~ "Firewall" and Status =~ "Deny"
| summarize count() by Src_IP, bin(TimeGenerated,5m)
| where count_ > threshold

YAML

version: 1.0.4
id: 3d645a88-2724-41a7-adea-db74c439cf79
relevantTechniques:
- T1499
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
triggerOperator: gt
entityMappings:
- fieldMappings:
  - columnName: Src_IP
    identifier: Address
  entityType: IP
name: Excessive Amount of Denied Connections from a Single Source
queryFrequency: 1h
triggerThreshold: 0
description: |
    'This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.'
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Sophos XG Firewall/Analytic Rules/ExcessiveAmountofDeniedConnectionsfromASingleSource.yaml
queryPeriod: 1h
severity: Medium
kind: Scheduled
tactics:
- Impact
query: |
  let threshold = 5000;
  SophosXGFirewall
  | where Log_Type =~ "Firewall" and Status =~ "Deny"
  | summarize count() by Src_IP, bin(TimeGenerated,5m)
  | where count_ > threshold

ARM