Corelight - Forced External Outbound SMB

Back


Id	73f23aa2-5cc4-4507-940b-75c9092e9e01
Rulename	Corelight - Forced External Outbound SMB
Description	Detects SMB requests that originate internally and communicate with an external IP address.
Severity	Medium
Tactics	CredentialAccess
Techniques	T1187
Required data connectors	Corelight
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightForcedExternalOutboundSMB.yaml
Version	2.1.0
Arm template	73f23aa2-5cc4-4507-940b-75c9092e9e01.json

KQL

union corelight_conn, corelight_conn_red
| where local_orig == true
| where local_resp == false
| where history hasprefix 'Sh' and service hasprefix 'smb'

YAML

id: 73f23aa2-5cc4-4507-940b-75c9092e9e01
tactics:
- CredentialAccess
queryPeriod: 1h
triggerThreshold: 0
name: Corelight - Forced External Outbound SMB
query: |
  union corelight_conn, corelight_conn_red
  | where local_orig == true
  | where local_resp == false
  | where history hasprefix 'Sh' and service hasprefix 'smb'  
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1187
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightForcedExternalOutboundSMB.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: Corelight
  dataTypes:
  - Corelight_v2_conn
  - Corelight_v2_conn_red
  - corelight_conn
  - corelight_conn_red
description: |
    'Detects SMB requests that originate internally and communicate with an external IP address.'
status: Available
version: 2.1.0
entityMappings:
- fieldMappings:
  - columnName: id_orig_h
    identifier: Address
  entityType: IP

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/73f23aa2-5cc4-4507-940b-75c9092e9e01')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/73f23aa2-5cc4-4507-940b-75c9092e9e01')]",
      "properties": {
        "alertRuleTemplateName": "73f23aa2-5cc4-4507-940b-75c9092e9e01",
        "customDetails": null,
        "description": "'Detects SMB requests that originate internally and communicate with an external IP address.'\n",
        "displayName": "Corelight - Forced External Outbound SMB",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "id_orig_h",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightForcedExternalOutboundSMB.yaml",
        "query": "union corelight_conn, corelight_conn_red\n| where local_orig == true\n| where local_resp == false\n| where history hasprefix 'Sh' and service hasprefix 'smb'\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1187"
        ],
        "templateVersion": "2.1.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}