Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Corelight - Forced External Outbound SMB

Corelight - Forced External Outbound SMB

Back
Id73f23aa2-5cc4-4507-940b-75c9092e9e01
RulenameCorelight - Forced External Outbound SMB
DescriptionDetects SMB requests that originate internally and communicate with an external IP address.
SeverityMedium
TacticsCredentialAccess
TechniquesT1187
Required data connectorsCorelight
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightForcedExternalOutboundSMB.yaml
Version2.1.0
Arm template73f23aa2-5cc4-4507-940b-75c9092e9e01.json
Deploy To Azure
union corelight_conn, corelight_conn_red
| where local_orig == true
| where local_resp == false
| where history hasprefix 'Sh' and service hasprefix 'smb'

status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightForcedExternalOutboundSMB.yaml
query: |
  union corelight_conn, corelight_conn_red
  | where local_orig == true
  | where local_resp == false
  | where history hasprefix 'Sh' and service hasprefix 'smb'  
requiredDataConnectors:
- dataTypes:
  - Corelight_v2_conn
  - Corelight_v2_conn_red
  - corelight_conn
  - corelight_conn_red
  connectorId: Corelight
tactics:
- CredentialAccess
name: Corelight - Forced External Outbound SMB
relevantTechniques:
- T1187
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: id_orig_h
  entityType: IP
kind: Scheduled
queryFrequency: 1h
description: |
    'Detects SMB requests that originate internally and communicate with an external IP address.'
triggerThreshold: 0
triggerOperator: gt
version: 2.1.0
queryPeriod: 1h
id: 73f23aa2-5cc4-4507-940b-75c9092e9e01