Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Corelight - Network Service Scanning Multiple IP Addresses

Back
Id599570d4-06f8-4939-8e29-95cd003f1abd
RulenameCorelight - Network Service Scanning Multiple IP Addresses
DescriptionIdentify scanning of services that may be available on the internal network.
SeverityMedium
TacticsInitialAccess
TechniquesT1566
Required data connectorsCorelight
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightNetworkServiceScanning.yaml
Version2.1.0
Arm template599570d4-06f8-4939-8e29-95cd003f1abd.json
Deploy To Azure
let threshold = 25;
union corelight_conn, corelight_conn_red
| where local_resp == true
| where local_orig == true
| where conn_state in~ ('S0', 'REJ')
| where history !contains 'D'
| summarize count() by id_orig_h, id_resp_p, bin(TimeGenerated, 1m)
| where count_ > threshold
queryFrequency: 1h
tactics:
- InitialAccess
queryPeriod: 1h
kind: Scheduled
relevantTechniques:
- T1566
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightNetworkServiceScanning.yaml
description: |
    'Identify scanning of services that may be available on the internal network.'
requiredDataConnectors:
- dataTypes:
  - Corelight_v2_conn
  - Corelight_v2_conn_red
  - corelight_conn
  - corelight_conn_red
  connectorId: Corelight
version: 2.1.0
triggerThreshold: 0
severity: Medium
triggerOperator: gt
id: 599570d4-06f8-4939-8e29-95cd003f1abd
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: id_orig_h
    identifier: Address
status: Available
name: Corelight - Network Service Scanning Multiple IP Addresses
query: |
  let threshold = 25;
  union corelight_conn, corelight_conn_red
  | where local_resp == true
  | where local_orig == true
  | where conn_state in~ ('S0', 'REJ')
  | where history !contains 'D'
  | summarize count() by id_orig_h, id_resp_p, bin(TimeGenerated, 1m)
  | where count_ > threshold  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/599570d4-06f8-4939-8e29-95cd003f1abd')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/599570d4-06f8-4939-8e29-95cd003f1abd')]",
      "properties": {
        "alertRuleTemplateName": "599570d4-06f8-4939-8e29-95cd003f1abd",
        "customDetails": null,
        "description": "'Identify scanning of services that may be available on the internal network.'\n",
        "displayName": "Corelight - Network Service Scanning Multiple IP Addresses",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "id_orig_h",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightNetworkServiceScanning.yaml",
        "query": "let threshold = 25;\nunion corelight_conn, corelight_conn_red\n| where local_resp == true\n| where local_orig == true\n| where conn_state in~ ('S0', 'REJ')\n| where history !contains 'D'\n| summarize count() by id_orig_h, id_resp_p, bin(TimeGenerated, 1m)\n| where count_ > threshold\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "2.1.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}