Multiple Sources Affected by the Same TI Destination
Id | 4644baf7-3464-45dd-bd9d-e07687e25f81 |
Rulename | Multiple Sources Affected by the Same TI Destination |
Description | Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group. Configurable Parameters: - Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5. - Recommendation is to use the new resource specific logs. If you are using both, the TiTraffic Count will be duplicated. |
Severity | Medium |
Tactics | Exfiltration CommandAndControl |
Required data connectors | AzureFirewall |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 1 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml |
Version | 1.1.2 |
Arm template | 4644baf7-3464-45dd-bd9d-e07687e25f81.json |
let RunTime = 1d;
let StartRunTime = 1d;
let EndRunTime = StartRunTime - RunTime;
let MinAffectedThreshold = 5;
union isfuzzy=true
(AzureDiagnostics
| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime))
| where OperationName == "AzureFirewallThreatIntelLog"
| parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int "." * "Action: Deny. " ThreatDescription),
(AZFWThreatIntel
| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))
| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription
| where array_length(AffectedIps) > MinAffectedThreshold
| mv-expand SourceIp = AffectedIps
| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc
requiredDataConnectors:
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- AZFWThreatIntel
triggerOperator: gt
queryFrequency: 1d
name: Multiple Sources Affected by the Same TI Destination
status: Available
queryPeriod: 1d
id: 4644baf7-3464-45dd-bd9d-e07687e25f81
description: |
'Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group.
Configurable Parameters:
- Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5.
- Recommendation is to use the new resource specific logs. If you are using both, the TiTraffic Count will be duplicated.'
severity: Medium
query: |
let RunTime = 1d;
let StartRunTime = 1d;
let EndRunTime = StartRunTime - RunTime;
let MinAffectedThreshold = 5;
union isfuzzy=true
(AzureDiagnostics
| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime))
| where OperationName == "AzureFirewallThreatIntelLog"
| parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int "." * "Action: Deny. " ThreatDescription),
(AZFWThreatIntel
| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))
| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription
| where array_length(AffectedIps) > MinAffectedThreshold
| mv-expand SourceIp = AffectedIps
| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc
version: 1.1.2
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIp
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Fqdn
relevantTechniques: []
tactics:
- Exfiltration
- CommandAndControl
triggerThreshold: 1
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4644baf7-3464-45dd-bd9d-e07687e25f81')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4644baf7-3464-45dd-bd9d-e07687e25f81')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Multiple Sources Affected by the Same TI Destination",
"description": "'Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group.\n\nConfigurable Parameters:\n\n- Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5.\n- Recommendation is to use the new resource specific logs. If you are using both, the TiTraffic Count will be duplicated.'\n",
"severity": "Medium",
"enabled": true,
"query": "let RunTime = 1d; \nlet StartRunTime = 1d; \nlet EndRunTime = StartRunTime - RunTime; \nlet MinAffectedThreshold = 5;\nunion isfuzzy=true\n(AzureDiagnostics \n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime))\n| where OperationName == \"AzureFirewallThreatIntelLog\"\n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \".\" * \"Action: Deny. \" ThreatDescription),\n(AZFWThreatIntel\n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)))\n| summarize TiTrafficCount = count(), dCountSourceIps = dcount(SourceIp), AffectedIps = make_set(SourceIp, 10000) by Fqdn, ThreatDescription\n| where array_length(AffectedIps) > MinAffectedThreshold\n| mv-expand SourceIp = AffectedIps\n| order by TiTrafficCount desc, Fqdn asc, parse_ipv4(tostring(SourceIp)) asc\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 1,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Exfiltration",
"CommandAndControl"
],
"techniques": [],
"alertRuleTemplateName": "4644baf7-3464-45dd-bd9d-e07687e25f81",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SourceIp"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "Url",
"columnName": "Fqdn"
}
],
"entityType": "URL"
}
],
"templateVersion": "1.1.2",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml",
"status": "Available"
}
}
]
}