Analytic rule catalog
Multiple Sources Affected by the Same TI Destination
Back
| Id | 4644baf7-3464-45dd-bd9d-e07687e25f81 |
| Rulename | Multiple Sources Affected by the Same TI Destination |
| Description | Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group. Configurable Parameters: - Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5. - Recommendation is to use the new resource specific logs. If you are using both, the TiTraffic Count will be duplicated. |
| Severity | Medium |
| Tactics | Exfiltration CommandAndControl |
| Techniques | T1041 T1071 |
| Required data connectors | AzureFirewall |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Firewall/Analytic%20Rules/Azure%20Firewall%20-%20Multiple%20Sources%20Affected%20by%20the%20Same%20TI%20Destination.yaml |
| Version | 1.1.5 |
| Arm template | 4644baf7-3464-45dd-bd9d-e07687e25f81.json |
let Timeframe = 1d;
let StartTime = ago(Timeframe);
let EndTime = now();
let MinAffectedThreshold = 5;
union isfuzzy=true
(AzureDiagnostics
| where TimeGenerated between (StartTime .. EndTime)
| where OperationName == "AzureFirewallThreatIntelLog"
| parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int "." * "Action: Deny. " ThreatDescription),
(AZFWThreatIntel
| where TimeGenerated between (StartTime .. EndTime))
| extend Fqdn = DestinationIp
| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription
| where array_length(AffectedIps) > MinAffectedThreshold
| mv-expand SourceIp = AffectedIps
| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc
name: Multiple Sources Affected by the Same TI Destination
triggerOperator: gt
severity: Medium
queryFrequency: 1d
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceIp
identifier: Address
- entityType: URL
fieldMappings:
- columnName: Fqdn
identifier: Url
relevantTechniques:
- T1041
- T1071
id: 4644baf7-3464-45dd-bd9d-e07687e25f81
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Firewall/Analytic%20Rules/Azure%20Firewall%20-%20Multiple%20Sources%20Affected%20by%20the%20Same%20TI%20Destination.yaml
queryPeriod: 1d
version: 1.1.5
tactics:
- Exfiltration
- CommandAndControl
status: Available
query: |
let Timeframe = 1d;
let StartTime = ago(Timeframe);
let EndTime = now();
let MinAffectedThreshold = 5;
union isfuzzy=true
(AzureDiagnostics
| where TimeGenerated between (StartTime .. EndTime)
| where OperationName == "AzureFirewallThreatIntelLog"
| parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int "." * "Action: Deny. " ThreatDescription),
(AZFWThreatIntel
| where TimeGenerated between (StartTime .. EndTime))
| extend Fqdn = DestinationIp
| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription
| where array_length(AffectedIps) > MinAffectedThreshold
| mv-expand SourceIp = AffectedIps
| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc
customDetails:
ThreatDescription: ThreatDescription
description: |
'Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group.
Configurable Parameters:
- Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5.
- Recommendation is to use the new resource specific logs. If you are using both, the TiTraffic Count will be duplicated.'
requiredDataConnectors:
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- AZFWThreatIntel
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4644baf7-3464-45dd-bd9d-e07687e25f81')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4644baf7-3464-45dd-bd9d-e07687e25f81')]",
"properties": {
"alertRuleTemplateName": "4644baf7-3464-45dd-bd9d-e07687e25f81",
"customDetails": {
"ThreatDescription": "ThreatDescription"
},
"description": "'Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group.\n\nConfigurable Parameters:\n\n- Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5.\n- Recommendation is to use the new resource specific logs. If you are using both, the TiTraffic Count will be duplicated.'\n",
"displayName": "Multiple Sources Affected by the Same TI Destination",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIp",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "Fqdn",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Firewall/Analytic%20Rules/Azure%20Firewall%20-%20Multiple%20Sources%20Affected%20by%20the%20Same%20TI%20Destination.yaml",
"query": "let Timeframe = 1d;\nlet StartTime = ago(Timeframe);\nlet EndTime = now(); \nlet MinAffectedThreshold = 5;\nunion isfuzzy=true\n(AzureDiagnostics \n| where TimeGenerated between (StartTime .. EndTime)\n| where OperationName == \"AzureFirewallThreatIntelLog\"\n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \".\" * \"Action: Deny. \" ThreatDescription),\n(AZFWThreatIntel\n| where TimeGenerated between (StartTime .. EndTime))\n| extend Fqdn = DestinationIp\n| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription\n| where array_length(AffectedIps) > MinAffectedThreshold\n| mv-expand SourceIp = AffectedIps\n| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"Exfiltration"
],
"techniques": [
"T1041",
"T1071"
],
"templateVersion": "1.1.5",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}