Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GSA - Detect Connections Outside Operational Hours

GSA - Detect Connections Outside Operational Hours

Back
Id4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa
RulenameGSA - Detect Connections Outside Operational Hours
DescriptionThis query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.
SeverityHigh
TacticsInitialAccess
TechniquesT1078
T1133
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1h
Query period24h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml
Version1.0.2
Arm template4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa.json
Deploy To Azure
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let operational_start_hour = 8; // Start of operational hours (8 AM)
let operational_end_hour = 18; // End of operational hours (6 PM)
NetworkAccessTraffic
| where TimeGenerated between (starttime .. endtime)
| extend HourOfDay = datetime_part('hour', TimeGenerated)
| where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour
| project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId
| extend IPCustomEntity = SourceIp, AccountCustomEntity = UserPrincipalName

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
tactics:
- InitialAccess
requiredDataConnectors:
- dataTypes:
  - NetworkAccessTrafficLogs
  connectorId: AzureActiveDirectory
id: 4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa
severity: High
status: Available
query: |
  let starttime = todatetime('{{StartTimeISO}}');
  let endtime = todatetime('{{EndTimeISO}}');
  let operational_start_hour = 8; // Start of operational hours (8 AM)
  let operational_end_hour = 18; // End of operational hours (6 PM)
  NetworkAccessTraffic
  | where TimeGenerated between (starttime .. endtime)
  | extend HourOfDay = datetime_part('hour', TimeGenerated)
  | where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour
  | project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId
  | extend IPCustomEntity = SourceIp, AccountCustomEntity = UserPrincipalName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml
kind: Scheduled
queryPeriod: 24h
version: 1.0.2
name: GSA - Detect Connections Outside Operational Hours
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1078
- T1133
description: |
    This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.
triggerOperator: gt