Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Port Sweep

Port Sweep

Back
Id720335f4-ee8c-4270-9424-d0859222168c
RulenamePort Sweep
DescriptionIdentifies a source IP scanning same open ports on the Azure Firewall IPs. This can indicate malicious scanning of port by an attacker, trying to reveal IPs with specific ports open in the organization. The ports can be compromised by attackers for initial access, most often by exploiting vulnerability.



Configurable Parameters:



- Port sweep time - the time range to look for multiple hosts scanned. Default is set to 30 seconds.

- Minimum different hosts threshold - alert only if more than this number of hosts scanned. Default is set to 200.
SeverityMedium
TacticsDiscovery
TechniquesT1046
Required data connectorsAzureFirewall
KindScheduled
Query frequency1h
Query period1d
Trigger threshold1
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Port Sweep.yaml
Version1.2.2
Arm template720335f4-ee8c-4270-9424-d0859222168c.json
Deploy To Azure
let MinimumDifferentHostsThreshold = 200;
let ExcludedPorts = dynamic([80 , 443]);
let BinTime = 30s;
union isfuzzy=true(
AZFWApplicationRule
| where DestinationPort !in (ExcludedPorts)
| summarize AlertTimedCountHostsInBinTime = make_set(Fqdn) by SourceIp, bin(TimeGenerated, BinTime), DestinationPort
| where array_length(AlertTimedCountHostsInBinTime) > MinimumDifferentHostsThreshold
| mv-expand Fqdn = AlertTimedCountHostsInBinTime),
(AZFWNetworkRule
| extend Fqdn = DestinationIp
| where DestinationPort !in (ExcludedPorts)
| summarize AlertTimedCountHostsInBinTime = make_set(Fqdn) by SourceIp, bin(TimeGenerated, BinTime), DestinationPort
| where array_length(AlertTimedCountHostsInBinTime) > MinimumDifferentHostsThreshold
| mv-expand Fqdn = AlertTimedCountHostsInBinTime),
(AzureDiagnostics
| where OperationName == "AzureFirewallApplicationRuleLog" or OperationName == "AzureFirewallNetworkRuleLog"
| parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int ". " * "Action: " Action "." *
| where DestinationPort !in (ExcludedPorts)
| where isnotempty(Fqdn) and isnotempty(SourceIp) and isnotempty(DestinationPort)
| summarize AlertTimedCountHostsInBinTime = make_set(Fqdn) by SourceIp, bin(TimeGenerated, BinTime), DestinationPort
| where array_length(AlertTimedCountHostsInBinTime) > MinimumDifferentHostsThreshold
| mv-expand Fqdn = AlertTimedCountHostsInBinTime)
| project bin(TimeGenerated, BinTime), SourceIp, DestinationPort, AlertTimedCountHostsInBinTime, Fqdn

id: 720335f4-ee8c-4270-9424-d0859222168c
tactics:
- Discovery
queryPeriod: 1d
triggerThreshold: 1
name: Port Sweep
query: |
  let MinimumDifferentHostsThreshold = 200;
  let ExcludedPorts = dynamic([80 , 443]);
  let BinTime = 30s;
  union isfuzzy=true(
  AZFWApplicationRule
  | where DestinationPort !in (ExcludedPorts)
  | summarize AlertTimedCountHostsInBinTime = make_set(Fqdn) by SourceIp, bin(TimeGenerated, BinTime), DestinationPort
  | where array_length(AlertTimedCountHostsInBinTime) > MinimumDifferentHostsThreshold
  | mv-expand Fqdn = AlertTimedCountHostsInBinTime),
  (AZFWNetworkRule
  | extend Fqdn = DestinationIp
  | where DestinationPort !in (ExcludedPorts)
  | summarize AlertTimedCountHostsInBinTime = make_set(Fqdn) by SourceIp, bin(TimeGenerated, BinTime), DestinationPort
  | where array_length(AlertTimedCountHostsInBinTime) > MinimumDifferentHostsThreshold
  | mv-expand Fqdn = AlertTimedCountHostsInBinTime),
  (AzureDiagnostics
  | where OperationName == "AzureFirewallApplicationRuleLog" or OperationName == "AzureFirewallNetworkRuleLog"
  | parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int ". " * "Action: " Action "." *
  | where DestinationPort !in (ExcludedPorts)
  | where isnotempty(Fqdn) and isnotempty(SourceIp) and isnotempty(DestinationPort)
  | summarize AlertTimedCountHostsInBinTime = make_set(Fqdn) by SourceIp, bin(TimeGenerated, BinTime), DestinationPort
  | where array_length(AlertTimedCountHostsInBinTime) > MinimumDifferentHostsThreshold
  | mv-expand Fqdn = AlertTimedCountHostsInBinTime)
  | project bin(TimeGenerated, BinTime), SourceIp, DestinationPort, AlertTimedCountHostsInBinTime, Fqdn  
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1046
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Port Sweep.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
  - AZFWApplicationRule
  - AZFWNetworkRule
description: |
  'Identifies a source IP scanning same open ports on the Azure Firewall IPs. This can indicate malicious scanning of port by an attacker, trying to reveal IPs with specific ports open in the organization. The ports can be compromised by attackers for initial access, most often by exploiting vulnerability.

  Configurable Parameters:

  - Port sweep time - the time range to look for multiple hosts scanned. Default is set to 30 seconds.
  - Minimum different hosts threshold - alert only if more than this number of hosts scanned. Default is set to 200.'  
status: Available
version: 1.2.2
entityMappings:
- fieldMappings:
  - columnName: SourceIp
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Fqdn
    identifier: Url
  entityType: URL

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/720335f4-ee8c-4270-9424-d0859222168c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/720335f4-ee8c-4270-9424-d0859222168c')]",
      "properties": {
        "alertRuleTemplateName": "720335f4-ee8c-4270-9424-d0859222168c",
        "customDetails": null,
        "description": "'Identifies a source IP scanning same open ports on the Azure Firewall IPs. This can indicate malicious scanning of port by an attacker, trying to reveal IPs with specific ports open in the organization. The ports can be compromised by attackers for initial access, most often by exploiting vulnerability.\n\nConfigurable Parameters:\n\n- Port sweep time - the time range to look for multiple hosts scanned. Default is set to 30 seconds.\n- Minimum different hosts threshold - alert only if more than this number of hosts scanned. Default is set to 200.'\n",
        "displayName": "Port Sweep",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Fqdn",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Port Sweep.yaml",
        "query": "let MinimumDifferentHostsThreshold = 200;\nlet ExcludedPorts = dynamic([80 , 443]);\nlet BinTime = 30s;\nunion isfuzzy=true(\nAZFWApplicationRule\n| where DestinationPort !in (ExcludedPorts)\n| summarize AlertTimedCountHostsInBinTime = make_set(Fqdn) by SourceIp, bin(TimeGenerated, BinTime), DestinationPort\n| where array_length(AlertTimedCountHostsInBinTime) > MinimumDifferentHostsThreshold\n| mv-expand Fqdn = AlertTimedCountHostsInBinTime),\n(AZFWNetworkRule\n| extend Fqdn = DestinationIp\n| where DestinationPort !in (ExcludedPorts)\n| summarize AlertTimedCountHostsInBinTime = make_set(Fqdn) by SourceIp, bin(TimeGenerated, BinTime), DestinationPort\n| where array_length(AlertTimedCountHostsInBinTime) > MinimumDifferentHostsThreshold\n| mv-expand Fqdn = AlertTimedCountHostsInBinTime),\n(AzureDiagnostics\n| where OperationName == \"AzureFirewallApplicationRuleLog\" or OperationName == \"AzureFirewallNetworkRuleLog\"\n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \". \" * \"Action: \" Action \".\" *\n| where DestinationPort !in (ExcludedPorts)\n| where isnotempty(Fqdn) and isnotempty(SourceIp) and isnotempty(DestinationPort)\n| summarize AlertTimedCountHostsInBinTime = make_set(Fqdn) by SourceIp, bin(TimeGenerated, BinTime), DestinationPort\n| where array_length(AlertTimedCountHostsInBinTime) > MinimumDifferentHostsThreshold\n| mv-expand Fqdn = AlertTimedCountHostsInBinTime)\n| project bin(TimeGenerated, BinTime), SourceIp, DestinationPort, AlertTimedCountHostsInBinTime, Fqdn\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1046"
        ],
        "templateVersion": "1.2.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 1
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}