GSA - Detect Source IP Scanning Multiple Open Ports
| Id | 82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1 |
| Rulename | GSA - Detect Source IP Scanning Multiple Open Ports |
| Description | Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access. Configurable Parameters: - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds. - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100. |
| Severity | Medium |
| Tactics | Discovery |
| Techniques | T1046 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 1 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml |
| Version | 1.0.2 |
| Arm template | 82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1.json |
let port_scan_time = 30s;
let min_ports_threshold = 100;
NetworkAccessTraffic
| where TimeGenerated > ago(1d)
| where Action == 'Allowed'
| summarize PortsScanned = dcount(DestinationPort) by SourceIp, DestinationFqdn, bin(TimeGenerated, port_scan_time)
| where PortsScanned > min_ports_threshold
| project SourceIp, PortsScanned, TimeGenerated,DestinationFqdn
triggerThreshold: 1
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- NetworkAccessTrafficLogs
severity: Medium
queryFrequency: 1d
id: 82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1
relevantTechniques:
- T1046
queryPeriod: 1d
name: GSA - Detect Source IP Scanning Multiple Open Ports
status: Available
kind: Scheduled
tactics:
- Discovery
triggerOperator: gt
version: 1.0.2
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceIp
identifier: Address
- entityType: URL
fieldMappings:
- columnName: DestinationFqdn
identifier: Url
description: |
Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.
Configurable Parameters:
- Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.
- Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml
query: |
let port_scan_time = 30s;
let min_ports_threshold = 100;
NetworkAccessTraffic
| where TimeGenerated > ago(1d)
| where Action == 'Allowed'
| summarize PortsScanned = dcount(DestinationPort) by SourceIp, DestinationFqdn, bin(TimeGenerated, port_scan_time)
| where PortsScanned > min_ports_threshold
| project SourceIp, PortsScanned, TimeGenerated,DestinationFqdn
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')]",
"properties": {
"alertRuleTemplateName": "82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1",
"customDetails": null,
"description": "Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.\n Configurable Parameters:\n - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.\n - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100.\n",
"displayName": "GSA - Detect Source IP Scanning Multiple Open Ports",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIp",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "DestinationFqdn",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml",
"query": "let port_scan_time = 30s;\nlet min_ports_threshold = 100;\nNetworkAccessTraffic\n| where TimeGenerated > ago(1d)\n| where Action == 'Allowed'\n| summarize PortsScanned = dcount(DestinationPort) by SourceIp, DestinationFqdn, bin(TimeGenerated, port_scan_time)\n| where PortsScanned > min_ports_threshold\n| project SourceIp, PortsScanned, TimeGenerated,DestinationFqdn\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1046"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 1
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}