Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Corelight - Network Service Scanning Multiple IP Addresses

Back
Id599570d4-06f8-4939-8e29-95cd003f1abd
RulenameCorelight - Network Service Scanning Multiple IP Addresses
DescriptionIdentify scanning of services that may be available on the internal network.
SeverityMedium
TacticsInitialAccess
TechniquesT1566
Required data connectorsCorelight
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightNetworkServiceScanning.yaml
Version2.1.0
Arm template599570d4-06f8-4939-8e29-95cd003f1abd.json
Deploy To Azure
let threshold = 25;
union corelight_conn, corelight_conn_red
| where local_resp == true
| where local_orig == true
| where conn_state in~ ('S0', 'REJ')
| where history !contains 'D'
| summarize count() by id_orig_h, id_resp_p, bin(TimeGenerated, 1m)
| where count_ > threshold
requiredDataConnectors:
- connectorId: Corelight
  dataTypes:
  - Corelight_v2_conn
  - Corelight_v2_conn_red
  - corelight_conn
  - corelight_conn_red
query: |
  let threshold = 25;
  union corelight_conn, corelight_conn_red
  | where local_resp == true
  | where local_orig == true
  | where conn_state in~ ('S0', 'REJ')
  | where history !contains 'D'
  | summarize count() by id_orig_h, id_resp_p, bin(TimeGenerated, 1m)
  | where count_ > threshold  
version: 2.1.0
triggerOperator: gt
queryPeriod: 1h
triggerThreshold: 0
kind: Scheduled
status: Available
relevantTechniques:
- T1566
name: Corelight - Network Service Scanning Multiple IP Addresses
description: |
    'Identify scanning of services that may be available on the internal network.'
severity: Medium
tactics:
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightNetworkServiceScanning.yaml
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: id_orig_h
    identifier: Address
queryFrequency: 1h
id: 599570d4-06f8-4939-8e29-95cd003f1abd
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/599570d4-06f8-4939-8e29-95cd003f1abd')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/599570d4-06f8-4939-8e29-95cd003f1abd')]",
      "properties": {
        "alertRuleTemplateName": "599570d4-06f8-4939-8e29-95cd003f1abd",
        "customDetails": null,
        "description": "'Identify scanning of services that may be available on the internal network.'\n",
        "displayName": "Corelight - Network Service Scanning Multiple IP Addresses",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "id_orig_h",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightNetworkServiceScanning.yaml",
        "query": "let threshold = 25;\nunion corelight_conn, corelight_conn_red\n| where local_resp == true\n| where local_orig == true\n| where conn_state in~ ('S0', 'REJ')\n| where history !contains 'D'\n| summarize count() by id_orig_h, id_resp_p, bin(TimeGenerated, 1m)\n| where count_ > threshold\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "2.1.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}