Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Palo Alto - possible internal to external port scanning

Palo Alto - possible internal to external port scanning

Back
Id5b72f527-e3f6-4a00-9908-8e4fee14da9f
RulenamePalo Alto - possible internal to external port scanning
DescriptionIdentifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an “ApplicationProtocol = incomplete” designation. The server resets coupled with an “Incomplete” ApplicationProtocol designation can be an indication of internal to external port scanning or probing attack.

References: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK
SeverityLow
TacticsDiscovery
TechniquesT1046
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml
Version1.0.8
Arm template5b72f527-e3f6-4a00-9908-8e4fee14da9f.json
Deploy To Azure
CommonSecurityLog
| where isnotempty(DestinationPort) and DeviceAction !in ("reset-both", "deny")
// filter out common usage ports. Add ports that are legitimate for your environment
| where DestinationPort !in ("443", "53", "389", "80", "0", "880", "8888", "8080")
| where ApplicationProtocol == "incomplete"
// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port
| where DestinationPort !between (toint(49512) .. toint(65535))
| where Computer != ""
| where ipv4_is_private(DestinationIP) == false
| extend Reason = coalesce(
                              column_ifexists("Reason", ""),
                              extract("reason=(.+?)(;|$)", 1, AdditionalExtensions),
                              ""
                          )
// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out.
| where Reason !has "aged-out"
// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.
| where Reason !has "tcp-fin"
// Uncomment one of the following where clauses to trigger on specific TCP reset reasons
// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK
// TCP RST-server - Occurs when the server sends a TCP reset to the client
// | where AdditionalExtensions has "reason=tcp-rst-from-server"
// TCP RST-client - Occurs when the client sends a TCP reset to the server
// | where AdditionalExtensions has "reason=tcp-rst-from-client"
// Already performed
//| extend reason = tostring(split(AdditionalExtensions, ";")[3])
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP
| where count_ >= 10
| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction

queryPeriod: 1h
query: |
  CommonSecurityLog
  | where isnotempty(DestinationPort) and DeviceAction !in ("reset-both", "deny")
  // filter out common usage ports. Add ports that are legitimate for your environment
  | where DestinationPort !in ("443", "53", "389", "80", "0", "880", "8888", "8080")
  | where ApplicationProtocol == "incomplete"
  // filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port
  | where DestinationPort !between (toint(49512) .. toint(65535))
  | where Computer != ""
  | where ipv4_is_private(DestinationIP) == false
  | extend Reason = coalesce(
                                column_ifexists("Reason", ""),
                                extract("reason=(.+?)(;|$)", 1, AdditionalExtensions),
                                ""
                            )
  // Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out.
  | where Reason !has "aged-out"
  // Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.
  | where Reason !has "tcp-fin"
  // Uncomment one of the following where clauses to trigger on specific TCP reset reasons
  // See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK
  // TCP RST-server - Occurs when the server sends a TCP reset to the client
  // | where AdditionalExtensions has "reason=tcp-rst-from-server"
  // TCP RST-client - Occurs when the client sends a TCP reset to the server
  // | where AdditionalExtensions has "reason=tcp-rst-from-client"
  // Already performed
  //| extend reason = tostring(split(AdditionalExtensions, ";")[3])
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP
  | where count_ >= 10
  | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction  
name: Palo Alto - possible internal to external port scanning
entityMappings:
- fieldMappings:
  - columnName: SourceUserID
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
description: |
  'Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an "ApplicationProtocol = incomplete" designation. The server resets coupled with an "Incomplete" ApplicationProtocol designation can be an indication of internal to external port scanning or probing attack.
  References: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and
  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK'  
kind: Scheduled
version: 1.0.8
status: Available
severity: Low
relevantTechniques:
- T1046
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
id: 5b72f527-e3f6-4a00-9908-8e4fee14da9f