let T1 = AzureDiagnostics
| where ResourceType == "PUBLICIPADDRESSES" and Category == "DDoSMitigationFlowLogs"
| summarize rows_count = count() by destPublicIpAddress_s, sourcePublicIpAddress_s;
let T2 = AzureDiagnostics
| where ResourceType == "PUBLICIPADDRESSES" and Category == "DDoSMitigationFlowLogs"
| summarize rows_total = count() by destPublicIpAddress_s;
T2
| join kind=leftouter T1 on destPublicIpAddress_s
| project destPublicIpAddress_s, sourcePublicIpAddress_s, percent_of_traffic = 100*rows_count/rows_total
| order by percent_of_traffic desc
| where percent_of_traffic > 5
name: DDoS Attack IP Addresses - Percent Threshold
id: 402a42ad-f31c-48d1-8f80-0200846b7f25
triggerThreshold: 0
entityMappings:
- fieldMappings:
- columnName: sourcePublicIpAddress_s
identifier: Address
entityType: IP
version: 1.0.1
triggerOperator: gt
query: |
let T1 = AzureDiagnostics
| where ResourceType == "PUBLICIPADDRESSES" and Category == "DDoSMitigationFlowLogs"
| summarize rows_count = count() by destPublicIpAddress_s, sourcePublicIpAddress_s;
let T2 = AzureDiagnostics
| where ResourceType == "PUBLICIPADDRESSES" and Category == "DDoSMitigationFlowLogs"
| summarize rows_total = count() by destPublicIpAddress_s;
T2
| join kind=leftouter T1 on destPublicIpAddress_s
| project destPublicIpAddress_s, sourcePublicIpAddress_s, percent_of_traffic = 100*rows_count/rows_total
| order by percent_of_traffic desc
| where percent_of_traffic > 5
description: Identifies IP addresses that generate over 5% of traffic during DDoS attack mitigation
kind: Scheduled
queryFrequency: 2h
severity: Medium
queryPeriod: 2h
requiredDataConnectors:
- dataTypes:
- AzureDiagnostics
connectorId: DDOS
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure DDoS Protection/Analytic Rules/AttackSourcesPercentThreshold.yaml
eventGroupingSettings:
aggregationKind: SingleAlert
relevantTechniques:
- T1498
tactics:
- Impact
