Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GSA - Detect Source IP Scanning Multiple Open Ports

GSA - Detect Source IP Scanning Multiple Open Ports

Back
Id82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1
RulenameGSA - Detect Source IP Scanning Multiple Open Ports
DescriptionIdentifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.
SeverityMedium
TacticsDiscovery
TechniquesT1046
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1d
Query period1d
Trigger threshold1
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml
Version1.0.1
Arm template82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1.json
Deploy To Azure
let port_scan_time = 30s;
let min_ports_threshold = 100;
NetworkAccessTraffic
| where TimeGenerated > ago(1d)
| where Action == 'Allowed'
| summarize PortsScanned = dcount(DestinationPort) by SourceIp, DestinationFqdn, bin(TimeGenerated, port_scan_time)
| where PortsScanned > min_ports_threshold
| project SourceIp, PortsScanned, TimeGenerated,DestinationFqdn

relevantTechniques:
- T1046
name: GSA - Detect Source IP Scanning Multiple Open Ports
Configurable Parameters:
- Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.
- Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100.
requiredDataConnectors:
- dataTypes:
  - EnrichedMicrosoft365AuditLogs
  connectorId: AzureActiveDirectory
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIp
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: DestinationFqdn
  entityType: URL
triggerThreshold: 1
id: 82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1
tactics:
- Discovery
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml
queryPeriod: 1d
kind: Scheduled
queryFrequency: 1d
severity: Medium
status: Available
description: |
    Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.
query: |
  let port_scan_time = 30s;
  let min_ports_threshold = 100;
  NetworkAccessTraffic
  | where TimeGenerated > ago(1d)
  | where Action == 'Allowed'
  | summarize PortsScanned = dcount(DestinationPort) by SourceIp, DestinationFqdn, bin(TimeGenerated, port_scan_time)
  | where PortsScanned > min_ports_threshold
  | project SourceIp, PortsScanned, TimeGenerated,DestinationFqdn  
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')]",
      "properties": {
        "alertRuleTemplateName": "82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1",
        "Configurable Parameters": [
          "Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.",
          "Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100."
        ],
        "customDetails": null,
        "description": "Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.\n",
        "displayName": "GSA - Detect Source IP Scanning Multiple Open Ports",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "DestinationFqdn",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml",
        "query": "let port_scan_time = 30s;\nlet min_ports_threshold = 100;\nNetworkAccessTraffic\n| where TimeGenerated > ago(1d)\n| where Action == 'Allowed'\n| summarize PortsScanned = dcount(DestinationPort) by SourceIp, DestinationFqdn, bin(TimeGenerated, port_scan_time)\n| where PortsScanned > min_ports_threshold\n| project SourceIp, PortsScanned, TimeGenerated,DestinationFqdn\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1046"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 1
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}