Multiple Sources Affected by the Same TI Destination
| Id | 4644baf7-3464-45dd-bd9d-e07687e25f81 |
| Rulename | Multiple Sources Affected by the Same TI Destination |
| Description | Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group. Configurable Parameters: - Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5. |
| Severity | Medium |
| Tactics | Exfiltration CommandAndControl |
| Required data connectors | AzureFirewall |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 1 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml |
| Version | 1.0.0 |
| Arm template | 4644baf7-3464-45dd-bd9d-e07687e25f81.json |
let RunTime = 1h;
let StartRunTime = 1d;
let EndRunTime = StartRunTime - RunTime;
let MinAffectedThershold = 5;
AzureDiagnostics
| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime))
| parse msg_s with * "from " srcip ":" srcport " to " dsturl ":" dstport "." * "ThreatIntel: " ThreatIntel
| where OperationName == "AzureFirewallThreatIntelLog" | summarize TiTrafficCount = count(), dCountSourceIps = dcount(srcip), AffectedIps = make_set(srcip) by dsturl, ThreatIntel, srcip
| where dCountSourceIps > MinAffectedThershold | order by TiTrafficCount desc
| extend IPCustomEntity = srcip, URLCustomEntity = dsturl
severity: Medium
triggerThreshold: 1
query: |
let RunTime = 1h;
let StartRunTime = 1d;
let EndRunTime = StartRunTime - RunTime;
let MinAffectedThershold = 5;
AzureDiagnostics
| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime))
| parse msg_s with * "from " srcip ":" srcport " to " dsturl ":" dstport "." * "ThreatIntel: " ThreatIntel
| where OperationName == "AzureFirewallThreatIntelLog" | summarize TiTrafficCount = count(), dCountSourceIps = dcount(srcip), AffectedIps = make_set(srcip) by dsturl, ThreatIntel, srcip
| where dCountSourceIps > MinAffectedThershold | order by TiTrafficCount desc
| extend IPCustomEntity = srcip, URLCustomEntity = dsturl
queryFrequency: 1h
requiredDataConnectors:
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
id: 4644baf7-3464-45dd-bd9d-e07687e25f81
version: 1.0.0
name: Multiple Sources Affected by the Same TI Destination
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml
queryPeriod: 1h
relevantTechniques: []
triggerOperator: gt
tactics:
- Exfiltration
- CommandAndControl
description: |
'Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group.
Configurable Parameters:
- Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5.'
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: URL
fieldMappings:
- identifier: Url
columnName: URLCustomEntity
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4644baf7-3464-45dd-bd9d-e07687e25f81')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4644baf7-3464-45dd-bd9d-e07687e25f81')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Multiple Sources Affected by the Same TI Destination",
"description": "'Identifies multiple machines trying to reach out to the same destination blocked by TI in Azure Firewall. This can indicate attack on the organization by the same attack group.\n\nConfigurable Parameters:\n\n- Minimum affected threshold - alert only if more than this number of hosts affected. Default is set to 5.'\n",
"severity": "Medium",
"enabled": true,
"query": "let RunTime = 1h; \nlet StartRunTime = 1d; \nlet EndRunTime = StartRunTime - RunTime; \nlet MinAffectedThershold = 5; \nAzureDiagnostics \n| where TimeGenerated between (ago(StartRunTime) .. ago(EndRunTime)) \n| parse msg_s with * \"from \" srcip \":\" srcport \" to \" dsturl \":\" dstport \".\" * \"ThreatIntel: \" ThreatIntel \n| where OperationName == \"AzureFirewallThreatIntelLog\" | summarize TiTrafficCount = count(), dCountSourceIps = dcount(srcip), AffectedIps = make_set(srcip) by dsturl, ThreatIntel, srcip \n| where dCountSourceIps > MinAffectedThershold | order by TiTrafficCount desc\n| extend IPCustomEntity = srcip, URLCustomEntity = dsturl\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 1,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Exfiltration",
"CommandAndControl"
],
"techniques": [],
"alertRuleTemplateName": "4644baf7-3464-45dd-bd9d-e07687e25f81",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"columnName": "URLCustomEntity",
"identifier": "Url"
}
],
"entityType": "URL"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Multiple Sources Affected by the Same TI Destination.yaml",
"templateVersion": "1.0.0",
"status": "Available"
}
}
]
}