Corelight - Forced External Outbound SMB

Back


Id	73f23aa2-5cc4-4507-940b-75c9092e9e01
Rulename	Corelight - Forced External Outbound SMB
Description	Detects SMB requests that originate internally and communicate with an external IP address.
Severity	Medium
Tactics	CredentialAccess
Techniques	T1187
Required data connectors	Corelight
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightForcedExternalOutboundSMB.yaml
Version	1.0.0
Arm template	73f23aa2-5cc4-4507-940b-75c9092e9e01.json

KQL

Corelight
| where EventType =~ 'conn'
| where ZeekConnLocalSrc == 'True'
| where ZeekConnLocalDst == 'False'
| where NetworkConnectionHistory hasprefix 'Sh' and NetworkApplication hasprefix 'smb'
| extend IPCustomEntity = SrcIpAddr

YAML

queryPeriod: 1h
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightForcedExternalOutboundSMB.yaml
tactics:
- CredentialAccess
query: |
  Corelight
  | where EventType =~ 'conn'
  | where ZeekConnLocalSrc == 'True'
  | where ZeekConnLocalDst == 'False'
  | where NetworkConnectionHistory hasprefix 'Sh' and NetworkApplication hasprefix 'smb'
  | extend IPCustomEntity = SrcIpAddr  
description: |
    'Detects SMB requests that originate internally and communicate with an external IP address.'
queryFrequency: 1h
id: 73f23aa2-5cc4-4507-940b-75c9092e9e01
status: Available
relevantTechniques:
- T1187
severity: Medium
version: 1.0.0
triggerThreshold: 0
kind: Scheduled
requiredDataConnectors:
- connectorId: Corelight
  dataTypes:
  - Corelight
name: Corelight - Forced External Outbound SMB

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/73f23aa2-5cc4-4507-940b-75c9092e9e01')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/73f23aa2-5cc4-4507-940b-75c9092e9e01')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Corelight - Forced External Outbound SMB",
        "description": "'Detects SMB requests that originate internally and communicate with an external IP address.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "Corelight\n| where EventType =~ 'conn'\n| where ZeekConnLocalSrc == 'True'\n| where ZeekConnLocalDst == 'False'\n| where NetworkConnectionHistory hasprefix 'Sh' and NetworkApplication hasprefix 'smb'\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1187"
        ],
        "alertRuleTemplateName": "73f23aa2-5cc4-4507-940b-75c9092e9e01",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightForcedExternalOutboundSMB.yaml",
        "templateVersion": "1.0.0",
        "status": "Available"
      }
    }
  ]
}