Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Excessive number of failed connections from a single source ASIM Network Session schema

Excessive number of failed connections from a single source ASIM Network Session schema

Back
Id4902eddb-34f7-44a8-ac94-8486366e9494
RulenameExcessive number of failed connections from a single source (ASIM Network Session schema)
DescriptionThis rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.

This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM NetworkSession schema
SeverityMedium
TacticsImpact
TechniquesT1499
Required data connectorsAIVectraStream
AWSS3
AzureFirewall
AzureMonitor(VMInsights)
AzureNSG
CheckPoint
CiscoASA
CiscoAsaAma
CiscoMeraki
Corelight
Fortinet
MicrosoftSysmonForLinux
MicrosoftThreatProtection
PaloAltoNetworks
SecurityEvents
WindowsForwardedEvents
WindowsSecurityEvents
Zscaler
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/ExcessiveHTTPFailuresFromSource.yaml
Version1.2.7
Arm template4902eddb-34f7-44a8-ac94-8486366e9494.json
Deploy To Azure
let threshold = 5000;
_Im_NetworkSession(eventresult='Failure')
| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)
| where Count > threshold
| extend timestamp = TimeGenerated, threshold

tags:
- version: 1.0.0
  ParentAlert: https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Sophos%20XG%20Firewall/Analytic%20Rules/ExcessiveAmountofDeniedConnectionsfromASingleSource.yaml
- Schema: ASimNetworkSessions
  SchemaVersion: 0.2.4
tactics:
- Impact
triggerOperator: gt
description: |
  'This rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.
   This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'  
requiredDataConnectors:
- connectorId: AWSS3
  dataTypes:
  - AWSVPCFlow
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: MicrosoftSysmonForLinux
  dataTypes:
  - Syslog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: AzureMonitor(VMInsights)
  dataTypes:
  - VMConnection
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
- connectorId: AzureNSG
  dataTypes:
  - AzureDiagnostics
- connectorId: CiscoASA
  dataTypes:
  - CommonSecurityLog
- connectorId: CiscoAsaAma
  dataTypes:
  - CommonSecurityLog
- connectorId: Corelight
  dataTypes:
  - Corelight_CL
- connectorId: AIVectraStream
  dataTypes:
  - VectraStream
- connectorId: CheckPoint
  dataTypes:
  - CommonSecurityLog
- connectorId: Fortinet
  dataTypes:
  - CommonSecurityLog
- connectorId: CiscoMeraki
  dataTypes:
  - Syslog
  - CiscoMerakiNativePoller
relevantTechniques:
- T1499
version: 1.2.7
id: 4902eddb-34f7-44a8-ac94-8486366e9494
alertDetailsOverride:
  alertDisplayNameFormat: Excessive number of failed connections from {{SrcIpAddr}}
  alertDescriptionFormat: The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.
customDetails:
  NumberOfDenies: Count
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
kind: Scheduled
query: |
  let threshold = 5000;
  _Im_NetworkSession(eventresult='Failure')
  | summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)
  | where Count > threshold
  | extend timestamp = TimeGenerated, threshold  
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/ExcessiveHTTPFailuresFromSource.yaml
queryFrequency: 1h
severity: Medium
name: Excessive number of failed connections from a single source (ASIM Network Session schema)
queryPeriod: 1h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4902eddb-34f7-44a8-ac94-8486366e9494')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4902eddb-34f7-44a8-ac94-8486366e9494')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.",
          "alertDisplayNameFormat": "Excessive number of failed connections from {{SrcIpAddr}}"
        },
        "alertRuleTemplateName": "4902eddb-34f7-44a8-ac94-8486366e9494",
        "customDetails": {
          "NumberOfDenies": "Count"
        },
        "description": "'This rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'\n",
        "displayName": "Excessive number of failed connections from a single source (ASIM Network Session schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/ExcessiveHTTPFailuresFromSource.yaml",
        "query": "let threshold = 5000;\n_Im_NetworkSession(eventresult='Failure')\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\n| where Count > threshold\n| extend timestamp = TimeGenerated, threshold\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "tags": [
          {
            "ParentAlert": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Sophos%20XG%20Firewall/Analytic%20Rules/ExcessiveAmountofDeniedConnectionsfromASingleSource.yaml",
            "version": "1.0.0"
          },
          {
            "Schema": "ASimNetworkSessions",
            "SchemaVersion": "0.2.4"
          }
        ],
        "techniques": [
          "T1499"
        ],
        "templateVersion": "1.2.7",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}