let T1 = AzureDiagnostics
| where ResourceType == "PUBLICIPADDRESSES" and Category == "DDoSMitigationFlowLogs"
| summarize rows_count = count() by destPublicIpAddress_s, sourcePublicIpAddress_s;
let T2 = AzureDiagnostics
| where ResourceType == "PUBLICIPADDRESSES" and Category == "DDoSMitigationFlowLogs"
| summarize rows_total = count() by destPublicIpAddress_s;
T2
| join kind=leftouter T1 on destPublicIpAddress_s
| project destPublicIpAddress_s, sourcePublicIpAddress_s, percent_of_traffic = 100*rows_count/rows_total
| order by percent_of_traffic desc
| where percent_of_traffic > 5
queryPeriod: 2h
query: |
let T1 = AzureDiagnostics
| where ResourceType == "PUBLICIPADDRESSES" and Category == "DDoSMitigationFlowLogs"
| summarize rows_count = count() by destPublicIpAddress_s, sourcePublicIpAddress_s;
let T2 = AzureDiagnostics
| where ResourceType == "PUBLICIPADDRESSES" and Category == "DDoSMitigationFlowLogs"
| summarize rows_total = count() by destPublicIpAddress_s;
T2
| join kind=leftouter T1 on destPublicIpAddress_s
| project destPublicIpAddress_s, sourcePublicIpAddress_s, percent_of_traffic = 100*rows_count/rows_total
| order by percent_of_traffic desc
| where percent_of_traffic > 5
version: 1.0.1
name: DDoS Attack IP Addresses - Percent Threshold
entityMappings:
- fieldMappings:
- columnName: sourcePublicIpAddress_s
identifier: Address
entityType: IP
eventGroupingSettings:
aggregationKind: SingleAlert
queryFrequency: 2h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure DDoS Protection/Analytic Rules/AttackSourcesPercentThreshold.yaml
description: Identifies IP addresses that generate over 5% of traffic during DDoS attack mitigation
kind: Scheduled
status: Available
severity: Medium
requiredDataConnectors:
- connectorId: DDOS
dataTypes:
- AzureDiagnostics
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
id: 402a42ad-f31c-48d1-8f80-0200846b7f25
relevantTechniques:
- T1498
