Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Corelight - Network Service Scanning Multiple IP Addresses

Back
Id599570d4-06f8-4939-8e29-95cd003f1abd
RulenameCorelight - Network Service Scanning Multiple IP Addresses
DescriptionIdentify scanning of services that may be available on the internal network.
SeverityMedium
TacticsInitialAccess
TechniquesT1566
Required data connectorsCorelight
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightNetworkServiceScanning.yaml
Version2.1.0
Arm template599570d4-06f8-4939-8e29-95cd003f1abd.json
Deploy To Azure
let threshold = 25;
union corelight_conn, corelight_conn_red
| where local_resp == true
| where local_orig == true
| where conn_state in~ ('S0', 'REJ')
| where history !contains 'D'
| summarize count() by id_orig_h, id_resp_p, bin(TimeGenerated, 1m)
| where count_ > threshold
triggerThreshold: 0
query: |
  let threshold = 25;
  union corelight_conn, corelight_conn_red
  | where local_resp == true
  | where local_orig == true
  | where conn_state in~ ('S0', 'REJ')
  | where history !contains 'D'
  | summarize count() by id_orig_h, id_resp_p, bin(TimeGenerated, 1m)
  | where count_ > threshold  
name: Corelight - Network Service Scanning Multiple IP Addresses
tactics:
- InitialAccess
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: id_orig_h
  entityType: IP
requiredDataConnectors:
- dataTypes:
  - Corelight_v2_conn
  - Corelight_v2_conn_red
  - corelight_conn
  - corelight_conn_red
  connectorId: Corelight
kind: Scheduled
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightNetworkServiceScanning.yaml
severity: Medium
id: 599570d4-06f8-4939-8e29-95cd003f1abd
version: 2.1.0
description: |
    'Identify scanning of services that may be available on the internal network.'
triggerOperator: gt
relevantTechniques:
- T1566
status: Available
queryFrequency: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/599570d4-06f8-4939-8e29-95cd003f1abd')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/599570d4-06f8-4939-8e29-95cd003f1abd')]",
      "properties": {
        "alertRuleTemplateName": "599570d4-06f8-4939-8e29-95cd003f1abd",
        "customDetails": null,
        "description": "'Identify scanning of services that may be available on the internal network.'\n",
        "displayName": "Corelight - Network Service Scanning Multiple IP Addresses",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "id_orig_h",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightNetworkServiceScanning.yaml",
        "query": "let threshold = 25;\nunion corelight_conn, corelight_conn_red\n| where local_resp == true\n| where local_orig == true\n| where conn_state in~ ('S0', 'REJ')\n| where history !contains 'D'\n| summarize count() by id_orig_h, id_resp_p, bin(TimeGenerated, 1m)\n| where count_ > threshold\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "2.1.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}