Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Corelight - Network Service Scanning Multiple IP Addresses

Back
Id599570d4-06f8-4939-8e29-95cd003f1abd
RulenameCorelight - Network Service Scanning Multiple IP Addresses
DescriptionIdentify scanning of services that may be available on the internal network.
SeverityMedium
TacticsInitialAccess
TechniquesT1566
Required data connectorsCorelight
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightNetworkServiceScanning.yaml
Version2.1.0
Arm template599570d4-06f8-4939-8e29-95cd003f1abd.json
Deploy To Azure
let threshold = 25;
union corelight_conn, corelight_conn_red
| where local_resp == true
| where local_orig == true
| where conn_state in~ ('S0', 'REJ')
| where history !contains 'D'
| summarize count() by id_orig_h, id_resp_p, bin(TimeGenerated, 1m)
| where count_ > threshold
name: Corelight - Network Service Scanning Multiple IP Addresses
version: 2.1.0
severity: Medium
queryFrequency: 1h
triggerOperator: gt
relevantTechniques:
- T1566
status: Available
description: |
    'Identify scanning of services that may be available on the internal network.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightNetworkServiceScanning.yaml
requiredDataConnectors:
- connectorId: Corelight
  dataTypes:
  - Corelight_v2_conn
  - Corelight_v2_conn_red
  - corelight_conn
  - corelight_conn_red
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: id_orig_h
  entityType: IP
tactics:
- InitialAccess
queryPeriod: 1h
query: |
  let threshold = 25;
  union corelight_conn, corelight_conn_red
  | where local_resp == true
  | where local_orig == true
  | where conn_state in~ ('S0', 'REJ')
  | where history !contains 'D'
  | summarize count() by id_orig_h, id_resp_p, bin(TimeGenerated, 1m)
  | where count_ > threshold  
kind: Scheduled
triggerThreshold: 0
id: 599570d4-06f8-4939-8e29-95cd003f1abd
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/599570d4-06f8-4939-8e29-95cd003f1abd')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/599570d4-06f8-4939-8e29-95cd003f1abd')]",
      "properties": {
        "alertRuleTemplateName": "599570d4-06f8-4939-8e29-95cd003f1abd",
        "customDetails": null,
        "description": "'Identify scanning of services that may be available on the internal network.'\n",
        "displayName": "Corelight - Network Service Scanning Multiple IP Addresses",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "id_orig_h",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightNetworkServiceScanning.yaml",
        "query": "let threshold = 25;\nunion corelight_conn, corelight_conn_red\n| where local_resp == true\n| where local_orig == true\n| where conn_state in~ ('S0', 'REJ')\n| where history !contains 'D'\n| summarize count() by id_orig_h, id_resp_p, bin(TimeGenerated, 1m)\n| where count_ > threshold\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "2.1.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}