Anomaly in SMB TrafficASIM Network Session schema

Back


Id	8717e498-7b5d-4e23-9e7c-fa4913dbfd79
Rulename	Anomaly in SMB Traffic(ASIM Network Session schema)
Description	This detection detects abnormal SMB traffic, a file-sharing protocol. By calculating the average deviation of SMB connections over last 14 days, flagging sources exceeding 50 average deviations.
Severity	Medium
Tactics	LateralMovement
Techniques	T1021 T1021.002
Kind	Scheduled
Query frequency	1d
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/Anomaly in SMB Traffic(ASIM Network Session schema).yaml
Version	1.0.0
Arm template	8717e498-7b5d-4e23-9e7c-fa4913dbfd79.json

KQL

// Define the threshold for deviation
let threshold = 50;
// Define the time range for the baseline data
let starttime = 14d;
let endtime = 1d;
// Define the SMB ports to monitor
let SMBPorts = dynamic(["139", "445"]);
// Get the baseline data for user network sessions and Filter for the defined time range
let userBaseline = _Im_NetworkSession(starttime=ago(starttime), endtime=ago(endtime))
  | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
  | summarize Count = count() by SrcIpAddr, DstPortNumber // Group by source IP and destination port
  | summarize AvgCount = avg(Count) by SrcIpAddr, DstPortNumber; // Calculate the average count
// Get the recent user activity data and Filter for recent activity
let recentUserActivity = _Im_NetworkSession(starttime=ago(endtime))
  | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by SrcIpAddr, DstPortNumber; // Group by source IP and destination port
// Join the baseline and recent activity data
let UserBehaviorAnalysis = userBaseline
  | join kind=inner (recentUserActivity) on SrcIpAddr, DstPortNumber
  | extend Deviation = abs(RecentCount - AvgCount) / AvgCount; // Calculate the deviation
// Filter for deviations greater than the threshold
UserBehaviorAnalysis
  | where Deviation > threshold
  | project SrcIpAddr, DstPortNumber, Deviation, Count = RecentCount; // Project the required columns

YAML

relevantTechniques:
- T1021
- T1021.002
name: Anomaly in SMB Traffic(ASIM Network Session schema)
requiredDataConnectors: []
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
triggerThreshold: 0
id: 8717e498-7b5d-4e23-9e7c-fa4913dbfd79
tactics:
- LateralMovement
version: 1.0.0
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/Anomaly in SMB Traffic(ASIM Network Session schema).yaml
triggerOperator: gt
kind: Scheduled
tags:
- Schema: ASimNetworkSessions
  SchemaVersion: 0.2.4
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 1d
severity: Medium
status: Available
description: |
    'This detection detects abnormal SMB traffic, a file-sharing protocol. By calculating the average deviation of SMB connections over last 14 days, flagging sources exceeding 50 average deviations.'
query: |
  // Define the threshold for deviation
  let threshold = 50;
  // Define the time range for the baseline data
  let starttime = 14d;
  let endtime = 1d;
  // Define the SMB ports to monitor
  let SMBPorts = dynamic(["139", "445"]);
  // Get the baseline data for user network sessions and Filter for the defined time range
  let userBaseline = _Im_NetworkSession(starttime=ago(starttime), endtime=ago(endtime))
    | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
    | summarize Count = count() by SrcIpAddr, DstPortNumber // Group by source IP and destination port
    | summarize AvgCount = avg(Count) by SrcIpAddr, DstPortNumber; // Calculate the average count
  // Get the recent user activity data and Filter for recent activity
  let recentUserActivity = _Im_NetworkSession(starttime=ago(endtime))
    | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
    | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by SrcIpAddr, DstPortNumber; // Group by source IP and destination port
  // Join the baseline and recent activity data
  let UserBehaviorAnalysis = userBaseline
    | join kind=inner (recentUserActivity) on SrcIpAddr, DstPortNumber
    | extend Deviation = abs(RecentCount - AvgCount) / AvgCount; // Calculate the deviation
  // Filter for deviations greater than the threshold
  UserBehaviorAnalysis
    | where Deviation > threshold
    | project SrcIpAddr, DstPortNumber, Deviation, Count = RecentCount; // Project the required columns

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8717e498-7b5d-4e23-9e7c-fa4913dbfd79')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8717e498-7b5d-4e23-9e7c-fa4913dbfd79')]",
      "properties": {
        "alertRuleTemplateName": "8717e498-7b5d-4e23-9e7c-fa4913dbfd79",
        "customDetails": null,
        "description": "'This detection detects abnormal SMB traffic, a file-sharing protocol. By calculating the average deviation of SMB connections over last 14 days, flagging sources exceeding 50 average deviations.'\n",
        "displayName": "Anomaly in SMB Traffic(ASIM Network Session schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/Anomaly in SMB Traffic(ASIM Network Session schema).yaml",
        "query": "// Define the threshold for deviation\nlet threshold = 50;\n// Define the time range for the baseline data\nlet starttime = 14d;\nlet endtime = 1d;\n// Define the SMB ports to monitor\nlet SMBPorts = dynamic([\"139\", \"445\"]);\n// Get the baseline data for user network sessions and Filter for the defined time range\nlet userBaseline = _Im_NetworkSession(starttime=ago(starttime), endtime=ago(endtime))\n  | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports\n  | summarize Count = count() by SrcIpAddr, DstPortNumber // Group by source IP and destination port\n  | summarize AvgCount = avg(Count) by SrcIpAddr, DstPortNumber; // Calculate the average count\n// Get the recent user activity data and Filter for recent activity\nlet recentUserActivity = _Im_NetworkSession(starttime=ago(endtime))\n  | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports\n  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by SrcIpAddr, DstPortNumber; // Group by source IP and destination port\n// Join the baseline and recent activity data\nlet UserBehaviorAnalysis = userBaseline\n  | join kind=inner (recentUserActivity) on SrcIpAddr, DstPortNumber\n  | extend Deviation = abs(RecentCount - AvgCount) / AvgCount; // Calculate the deviation\n// Filter for deviations greater than the threshold\nUserBehaviorAnalysis\n  | where Deviation > threshold\n  | project SrcIpAddr, DstPortNumber, Deviation, Count = RecentCount; // Project the required columns\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [
          "T1021.002"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "tags": [
          {
            "Schema": "ASimNetworkSessions",
            "SchemaVersion": "0.2.4"
          }
        ],
        "techniques": [
          "T1021"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}