Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Detect Connections Outside Operational Hours

Back
Id4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa
RulenameDetect Connections Outside Operational Hours
DescriptionThis query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.
SeverityHigh
TacticsInitialAccess
TechniquesT1078
T1133
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1h
Query period24h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml
Version1.0.0
Arm template4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa.json
Deploy To Azure
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let operational_start_hour = 8; // Start of operational hours (8 AM)
let operational_end_hour = 18; // End of operational hours (6 PM)
NetworkAccessTraffic
| where TimeGenerated between(starttime .. endtime)
| extend HourOfDay = datetime_part('hour', TimeGenerated)
| where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour
| project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId
| extend IPCustomEntity = SourceIp, AccountCustomEntity = UserPrincipalName
kind: Scheduled
query: |
  let starttime = todatetime('{{StartTimeISO}}');
  let endtime = todatetime('{{EndTimeISO}}');
  let operational_start_hour = 8; // Start of operational hours (8 AM)
  let operational_end_hour = 18; // End of operational hours (6 PM)
  NetworkAccessTraffic
  | where TimeGenerated between(starttime .. endtime)
  | extend HourOfDay = datetime_part('hour', TimeGenerated)
  | where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour
  | project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId
  | extend IPCustomEntity = SourceIp, AccountCustomEntity = UserPrincipalName  
relevantTechniques:
- T1078
- T1133
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
triggerOperator: gt
triggerThreshold: 0
queryPeriod: 24h
tactics:
- InitialAccess
id: 4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa
requiredDataConnectors:
- dataTypes:
  - EnrichedMicrosoft365AuditLogs
  connectorId: AzureActiveDirectory
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml
description: This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.
queryFrequency: 1h
name: Detect Connections Outside Operational Hours
severity: High
version: 1.0.0
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa')]",
      "properties": {
        "alertRuleTemplateName": "4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa",
        "customDetails": null,
        "description": "This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.",
        "displayName": "Detect Connections Outside Operational Hours",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml",
        "query": "let starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet operational_start_hour = 8; // Start of operational hours (8 AM)\nlet operational_end_hour = 18; // End of operational hours (6 PM)\nNetworkAccessTraffic\n| where TimeGenerated between(starttime .. endtime)\n| extend HourOfDay = datetime_part('hour', TimeGenerated)\n| where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour\n| project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId\n| extend IPCustomEntity = SourceIp, AccountCustomEntity = UserPrincipalName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT24H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1133"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}