Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Netskope - Suspicious Network Context Unusual IPsGeoPorts

Netskope - Suspicious Network Context Unusual IPsGeoPorts

Back
Id6d989fb0-933e-4ae6-88fa-10e7b51c8897
RulenameNetskope - Suspicious Network Context (Unusual IPs/Geo/Ports)
DescriptionDetects suspicious network activity based on unusual source/destination IPs, geographic anomalies, uncommon ports, and high traffic volumes.
SeverityMedium
TacticsCommandAndControl
Exfiltration
Discovery
TechniquesT1071
T1048
T1046
Required data connectorsNetskopeWebTxConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule9.yaml
Version1.0.0
Arm template6d989fb0-933e-4ae6-88fa-10e7b51c8897.json
Deploy To Azure
NetskopeWebTransactions_CL
| where TimeGenerated > ago(1h)
| where isnotempty(CsUsername)
| extend 
    DstPort = coalesce(XCsDstPort, XSrDstPort, CsUriPort),
    SrcIP = coalesce(XCsSrcIp, CIp),
    DstIP = coalesce(XCsDstIp, XSrDstIp, SIp)
| summarize 
    EventCount = count(),
    TotalBytes = sum(Bytes),
    UniqueDstIPs = dcount(DstIP),
    DstIPs = make_set(DstIP, 20),
    UniqueDstPorts = dcount(DstPort),
    DstPorts = make_set(DstPort, 20),
    UniqueHosts = dcount(CsHost),
    Hosts = make_set(CsHost, 20),
    Countries = make_set(XSCountry),
    SuspiciousPortHits = countif(DstPort in (20, 21, 22, 23, 25, 445, 1433, 1434, 3306, 3389, 5432, 5900, 5901)),
    HighRiskCountryHits = countif(XSCountry in ('RU', 'CN', 'KP', 'IR', 'SY'))
    by CsUsername, XCsSrcIp, XCCountry, XCLocation, bin(TimeGenerated, 1h)
| where SuspiciousPortHits > 0 or HighRiskCountryHits > 0 or UniqueDstIPs > 50 or TotalBytes > 1073741824
| extend 
    TotalMB = round(TotalBytes / 1048576.0, 2),
    RiskFactors = strcat_array(array_concat(
        iff(SuspiciousPortHits > 0, dynamic(['Suspicious Ports']), dynamic([])),
        iff(HighRiskCountryHits > 0, dynamic(['High Risk Country']), dynamic([])),
        iff(UniqueDstIPs > 50, dynamic(['Many Destinations']), dynamic([])),
        iff(TotalBytes > 1073741824, dynamic(['High Volume']), dynamic([]))
    ), ', ')
| project 
    TimeGenerated,
    User = CsUsername,
    SourceIP = XCsSrcIp,
    SourceCountry = XCCountry,
    SourceLocation = XCLocation,
    DestinationIPs = DstIPs,
    UniqueDstIPCount = UniqueDstIPs,
    DestinationPorts = DstPorts,
    TargetHosts = Hosts,
    DestinationCountries = Countries,
    SuspiciousPortAccessCount = SuspiciousPortHits,
    HighRiskCountryAccessCount = HighRiskCountryHits,
    TotalDataMB = TotalMB,
    EventCount,
    RiskFactors

id: 6d989fb0-933e-4ae6-88fa-10e7b51c8897
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule9.yaml
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: User
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
requiredDataConnectors:
- dataTypes:
  - NetskopeWebTransactions_CL
  connectorId: NetskopeWebTxConnector
queryFrequency: 1h
queryPeriod: 1h
status: Available
query: |
  NetskopeWebTransactions_CL
  | where TimeGenerated > ago(1h)
  | where isnotempty(CsUsername)
  | extend 
      DstPort = coalesce(XCsDstPort, XSrDstPort, CsUriPort),
      SrcIP = coalesce(XCsSrcIp, CIp),
      DstIP = coalesce(XCsDstIp, XSrDstIp, SIp)
  | summarize 
      EventCount = count(),
      TotalBytes = sum(Bytes),
      UniqueDstIPs = dcount(DstIP),
      DstIPs = make_set(DstIP, 20),
      UniqueDstPorts = dcount(DstPort),
      DstPorts = make_set(DstPort, 20),
      UniqueHosts = dcount(CsHost),
      Hosts = make_set(CsHost, 20),
      Countries = make_set(XSCountry),
      SuspiciousPortHits = countif(DstPort in (20, 21, 22, 23, 25, 445, 1433, 1434, 3306, 3389, 5432, 5900, 5901)),
      HighRiskCountryHits = countif(XSCountry in ('RU', 'CN', 'KP', 'IR', 'SY'))
      by CsUsername, XCsSrcIp, XCCountry, XCLocation, bin(TimeGenerated, 1h)
  | where SuspiciousPortHits > 0 or HighRiskCountryHits > 0 or UniqueDstIPs > 50 or TotalBytes > 1073741824
  | extend 
      TotalMB = round(TotalBytes / 1048576.0, 2),
      RiskFactors = strcat_array(array_concat(
          iff(SuspiciousPortHits > 0, dynamic(['Suspicious Ports']), dynamic([])),
          iff(HighRiskCountryHits > 0, dynamic(['High Risk Country']), dynamic([])),
          iff(UniqueDstIPs > 50, dynamic(['Many Destinations']), dynamic([])),
          iff(TotalBytes > 1073741824, dynamic(['High Volume']), dynamic([]))
      ), ', ')
  | project 
      TimeGenerated,
      User = CsUsername,
      SourceIP = XCsSrcIp,
      SourceCountry = XCCountry,
      SourceLocation = XCLocation,
      DestinationIPs = DstIPs,
      UniqueDstIPCount = UniqueDstIPs,
      DestinationPorts = DstPorts,
      TargetHosts = Hosts,
      DestinationCountries = Countries,
      SuspiciousPortAccessCount = SuspiciousPortHits,
      HighRiskCountryAccessCount = HighRiskCountryHits,
      TotalDataMB = TotalMB,
      EventCount,
      RiskFactors  
name: Netskope - Suspicious Network Context (Unusual IPs/Geo/Ports)
kind: Scheduled
tactics:
- CommandAndControl
- Exfiltration
- Discovery
severity: Medium
relevantTechniques:
- T1071
- T1048
- T1046
triggerThreshold: 0
version: 1.0.0
description: |
    Detects suspicious network activity based on unusual source/destination IPs, geographic anomalies, uncommon ports, and high traffic volumes.