Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Corelight - Forced External Outbound SMB

Back
Id73f23aa2-5cc4-4507-940b-75c9092e9e01
RulenameCorelight - Forced External Outbound SMB
DescriptionDetects SMB requests that originate internally and communicate with an external IP address.
SeverityMedium
TacticsCredentialAccess
TechniquesT1187
Required data connectorsCorelight
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightForcedExternalOutboundSMB.yaml
Version1.0.0
Arm template73f23aa2-5cc4-4507-940b-75c9092e9e01.json
Deploy To Azure
Corelight
| where EventType =~ 'conn'
| where ZeekConnLocalSrc == 'True'
| where ZeekConnLocalDst == 'False'
| where NetworkConnectionHistory hasprefix 'Sh' and NetworkApplication hasprefix 'smb'
| extend IPCustomEntity = SrcIpAddr
queryFrequency: 1h
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
severity: Medium
triggerThreshold: 0
relevantTechniques:
- T1187
query: |
  Corelight
  | where EventType =~ 'conn'
  | where ZeekConnLocalSrc == 'True'
  | where ZeekConnLocalDst == 'False'
  | where NetworkConnectionHistory hasprefix 'Sh' and NetworkApplication hasprefix 'smb'
  | extend IPCustomEntity = SrcIpAddr  
id: 73f23aa2-5cc4-4507-940b-75c9092e9e01
triggerOperator: gt
version: 1.0.0
requiredDataConnectors:
- connectorId: Corelight
  dataTypes:
  - Corelight
description: |
    'Detects SMB requests that originate internally and communicate with an external IP address.'
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightForcedExternalOutboundSMB.yaml
status: Available
name: Corelight - Forced External Outbound SMB
tactics:
- CredentialAccess
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/73f23aa2-5cc4-4507-940b-75c9092e9e01')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/73f23aa2-5cc4-4507-940b-75c9092e9e01')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Corelight - Forced External Outbound SMB",
        "description": "'Detects SMB requests that originate internally and communicate with an external IP address.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "Corelight\n| where EventType =~ 'conn'\n| where ZeekConnLocalSrc == 'True'\n| where ZeekConnLocalDst == 'False'\n| where NetworkConnectionHistory hasprefix 'Sh' and NetworkApplication hasprefix 'smb'\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1187"
        ],
        "alertRuleTemplateName": "73f23aa2-5cc4-4507-940b-75c9092e9e01",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightForcedExternalOutboundSMB.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}