Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. DDoS Attack IP Addresses - PPS Threshold

DDoS Attack IP Addresses - PPS Threshold

Back
Id6e76fd9d-8104-41eb-bad3-26054a3ad5f0
RulenameDDoS Attack IP Addresses - PPS Threshold
DescriptionIdentifies IP addresses that generates maximal traffic rate over 10k PPS during DDoS attack mitigation
SeverityMedium
TacticsImpact
TechniquesT1498
Required data connectorsDDOS
KindScheduled
Query frequency2h
Query period2h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure DDoS Protection/Analytic Rules/AttackSourcesPPSThreshold.yaml
Version1.0.1
Arm template6e76fd9d-8104-41eb-bad3-26054a3ad5f0.json
Deploy To Azure
AzureDiagnostics 
| where ResourceType == 'PUBLICIPADDRESSES' and Category == "DDoSMitigationFlowLogs"
//sample rate of mitigation device 1:1000 so the PPS of the source is estimated to be x1000.
| summarize PPS = 1000 * count() by destPublicIpAddress_s, sec = bin(TimeGenerated, 1s), sourcePublicIpAddress_s
| summarize maxPPS = max(PPS) by destPublicIpAddress_s, sourcePublicIpAddress_s
| order by destPublicIpAddress_s, maxPPS desc
| where maxPPS > 10000

kind: Scheduled
status: Available
triggerOperator: gt
version: 1.0.1
tactics:
- Impact
queryPeriod: 2h
queryFrequency: 2h
id: 6e76fd9d-8104-41eb-bad3-26054a3ad5f0
requiredDataConnectors:
- connectorId: DDOS
  dataTypes:
  - AzureDiagnostics
eventGroupingSettings:
  aggregationKind: SingleAlert
relevantTechniques:
- T1498
description: Identifies IP addresses that generates maximal traffic rate over 10k PPS during DDoS attack mitigation
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: sourcePublicIpAddress_s
    identifier: Address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure DDoS Protection/Analytic Rules/AttackSourcesPPSThreshold.yaml
triggerThreshold: 0
name: DDoS Attack IP Addresses - PPS Threshold
severity: Medium
query: |
  AzureDiagnostics 
  | where ResourceType == 'PUBLICIPADDRESSES' and Category == "DDoSMitigationFlowLogs"
  //sample rate of mitigation device 1:1000 so the PPS of the source is estimated to be x1000.
  | summarize PPS = 1000 * count() by destPublicIpAddress_s, sec = bin(TimeGenerated, 1s), sourcePublicIpAddress_s
  | summarize maxPPS = max(PPS) by destPublicIpAddress_s, sourcePublicIpAddress_s
  | order by destPublicIpAddress_s, maxPPS desc
  | where maxPPS > 10000