Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Multiple Sources Affected by the Same TI Destination

Multiple Sources Affected by the Same TI Destination

Back
Id4644baf7-3464-45dd-bd9d-e07687e25f81
RulenameMultiple Sources Affected by the Same TI Destination
DescriptionIdentifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group.



Configurable Parameters:



- Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5.

- Recommendation is to use the new resource specific logs. If you are using both, the TiTraffic Count will be duplicated.
SeverityMedium
TacticsExfiltration
CommandAndControl
TechniquesT1041
T1071
Required data connectorsAzureFirewall
KindScheduled
Query frequency1d
Query period1d
Trigger threshold1
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml
Version1.1.3
Arm template4644baf7-3464-45dd-bd9d-e07687e25f81.json
Deploy To Azure
let RunTime = 1d; 
let StartRunTime = 1d; 
let EndRunTime = StartRunTime - RunTime; 
let MinAffectedThreshold = 5;
union isfuzzy=true
(AzureDiagnostics 
| where TimeGenerated  between (ago(StartRunTime) .. ago(EndRunTime))
| where OperationName == "AzureFirewallThreatIntelLog"
| parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int  "." * "Action: Deny. " ThreatDescription),
(AZFWThreatIntel
| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))
| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription
| where array_length(AffectedIps) > MinAffectedThreshold
| mv-expand SourceIp = AffectedIps
| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml
query: |
  let RunTime = 1d; 
  let StartRunTime = 1d; 
  let EndRunTime = StartRunTime - RunTime; 
  let MinAffectedThreshold = 5;
  union isfuzzy=true
  (AzureDiagnostics 
  | where TimeGenerated  between (ago(StartRunTime) .. ago(EndRunTime))
  | where OperationName == "AzureFirewallThreatIntelLog"
  | parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int  "." * "Action: Deny. " ThreatDescription),
  (AZFWThreatIntel
  | where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))
  | summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription
  | where array_length(AffectedIps) > MinAffectedThreshold
  | mv-expand SourceIp = AffectedIps
  | order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc  
description: |
  'Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group.

  Configurable Parameters:

  - Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5.
  - Recommendation is to use the new resource specific logs. If you are using both, the TiTraffic Count will be duplicated.'  
severity: Medium
requiredDataConnectors:
- dataTypes:
  - AzureDiagnostics
  - AZFWThreatIntel
  connectorId: AzureFirewall
name: Multiple Sources Affected by the Same TI Destination
triggerThreshold: 1
tactics:
- Exfiltration
- CommandAndControl
version: 1.1.3
relevantTechniques:
- T1041
- T1071
triggerOperator: gt
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIp
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: Fqdn
    identifier: Url
id: 4644baf7-3464-45dd-bd9d-e07687e25f81
status: Available
kind: Scheduled
queryFrequency: 1d
queryPeriod: 1d

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4644baf7-3464-45dd-bd9d-e07687e25f81')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4644baf7-3464-45dd-bd9d-e07687e25f81')]",
      "properties": {
        "alertRuleTemplateName": "4644baf7-3464-45dd-bd9d-e07687e25f81",
        "customDetails": null,
        "description": "'Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group.\n\nConfigurable Parameters:\n\n- Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5.\n- Recommendation is to use the new resource specific logs. If you are using both, the TiTraffic Count will be duplicated.'\n",
        "displayName": "Multiple Sources Affected by the Same TI Destination",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Fqdn",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml",
        "query": "let RunTime = 1d; \nlet StartRunTime = 1d; \nlet EndRunTime = StartRunTime - RunTime; \nlet MinAffectedThreshold = 5;\nunion isfuzzy=true\n(AzureDiagnostics \n| where TimeGenerated  between (ago(StartRunTime) .. ago(EndRunTime))\n| where OperationName == \"AzureFirewallThreatIntelLog\"\n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int  \".\" * \"Action: Deny. \" ThreatDescription),\n(AZFWThreatIntel\n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))\n| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription\n| where array_length(AffectedIps) > MinAffectedThreshold\n| mv-expand SourceIp = AffectedIps\n| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration"
        ],
        "techniques": [
          "T1041",
          "T1071"
        ],
        "templateVersion": "1.1.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 1
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}