Anomaly in SMB TrafficASIM Network Session schema
Id | 8717e498-7b5d-4e23-9e7c-fa4913dbfd79 |
Rulename | Anomaly in SMB Traffic(ASIM Network Session schema) |
Description | This detection detects abnormal SMB traffic, a file-sharing protocol. By calculating the average deviation of SMB connections over last 14 days, flagging sources exceeding 50 average deviations. |
Severity | Medium |
Tactics | LateralMovement |
Techniques | T1021 T1021.002 |
Kind | Scheduled |
Query frequency | 1d |
Query period | 14d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/Anomaly in SMB Traffic(ASIM Network Session schema).yaml |
Version | 1.0.0 |
Arm template | 8717e498-7b5d-4e23-9e7c-fa4913dbfd79.json |
// Define the threshold for deviation
let threshold = 50;
// Define the time range for the baseline data
let starttime = 14d;
let endtime = 1d;
// Define the SMB ports to monitor
let SMBPorts = dynamic(["139", "445"]);
// Get the baseline data for user network sessions and Filter for the defined time range
let userBaseline = _Im_NetworkSession(starttime=ago(starttime), endtime=ago(endtime))
| where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
| summarize Count = count() by SrcIpAddr, DstPortNumber // Group by source IP and destination port
| summarize AvgCount = avg(Count) by SrcIpAddr, DstPortNumber; // Calculate the average count
// Get the recent user activity data and Filter for recent activity
let recentUserActivity = _Im_NetworkSession(starttime=ago(endtime))
| where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by SrcIpAddr, DstPortNumber; // Group by source IP and destination port
// Join the baseline and recent activity data
let UserBehaviorAnalysis = userBaseline
| join kind=inner (recentUserActivity) on SrcIpAddr, DstPortNumber
| extend Deviation = abs(RecentCount - AvgCount) / AvgCount; // Calculate the deviation
// Filter for deviations greater than the threshold
UserBehaviorAnalysis
| where Deviation > threshold
| project SrcIpAddr, DstPortNumber, Deviation, Count = RecentCount; // Project the required columns
severity: Medium
tags:
- Schema: ASimNetworkSessions
SchemaVersion: 0.2.4
id: 8717e498-7b5d-4e23-9e7c-fa4913dbfd79
queryPeriod: 14d
queryFrequency: 1d
triggerOperator: gt
status: Available
relevantTechniques:
- T1021
- T1021.002
tactics:
- LateralMovement
kind: Scheduled
description: |
'This detection detects abnormal SMB traffic, a file-sharing protocol. By calculating the average deviation of SMB connections over last 14 days, flagging sources exceeding 50 average deviations.'
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/Anomaly in SMB Traffic(ASIM Network Session schema).yaml
requiredDataConnectors: []
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SrcIpAddr
identifier: Address
query: |
// Define the threshold for deviation
let threshold = 50;
// Define the time range for the baseline data
let starttime = 14d;
let endtime = 1d;
// Define the SMB ports to monitor
let SMBPorts = dynamic(["139", "445"]);
// Get the baseline data for user network sessions and Filter for the defined time range
let userBaseline = _Im_NetworkSession(starttime=ago(starttime), endtime=ago(endtime))
| where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
| summarize Count = count() by SrcIpAddr, DstPortNumber // Group by source IP and destination port
| summarize AvgCount = avg(Count) by SrcIpAddr, DstPortNumber; // Calculate the average count
// Get the recent user activity data and Filter for recent activity
let recentUserActivity = _Im_NetworkSession(starttime=ago(endtime))
| where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by SrcIpAddr, DstPortNumber; // Group by source IP and destination port
// Join the baseline and recent activity data
let UserBehaviorAnalysis = userBaseline
| join kind=inner (recentUserActivity) on SrcIpAddr, DstPortNumber
| extend Deviation = abs(RecentCount - AvgCount) / AvgCount; // Calculate the deviation
// Filter for deviations greater than the threshold
UserBehaviorAnalysis
| where Deviation > threshold
| project SrcIpAddr, DstPortNumber, Deviation, Count = RecentCount; // Project the required columns
version: 1.0.0
name: Anomaly in SMB Traffic(ASIM Network Session schema)
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8717e498-7b5d-4e23-9e7c-fa4913dbfd79')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8717e498-7b5d-4e23-9e7c-fa4913dbfd79')]",
"properties": {
"alertRuleTemplateName": "8717e498-7b5d-4e23-9e7c-fa4913dbfd79",
"customDetails": null,
"description": "'This detection detects abnormal SMB traffic, a file-sharing protocol. By calculating the average deviation of SMB connections over last 14 days, flagging sources exceeding 50 average deviations.'\n",
"displayName": "Anomaly in SMB Traffic(ASIM Network Session schema)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/Anomaly in SMB Traffic(ASIM Network Session schema).yaml",
"query": "// Define the threshold for deviation\nlet threshold = 50;\n// Define the time range for the baseline data\nlet starttime = 14d;\nlet endtime = 1d;\n// Define the SMB ports to monitor\nlet SMBPorts = dynamic([\"139\", \"445\"]);\n// Get the baseline data for user network sessions and Filter for the defined time range\nlet userBaseline = _Im_NetworkSession(starttime=ago(starttime), endtime=ago(endtime))\n | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports\n | summarize Count = count() by SrcIpAddr, DstPortNumber // Group by source IP and destination port\n | summarize AvgCount = avg(Count) by SrcIpAddr, DstPortNumber; // Calculate the average count\n// Get the recent user activity data and Filter for recent activity\nlet recentUserActivity = _Im_NetworkSession(starttime=ago(endtime))\n | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by SrcIpAddr, DstPortNumber; // Group by source IP and destination port\n// Join the baseline and recent activity data\nlet UserBehaviorAnalysis = userBaseline\n | join kind=inner (recentUserActivity) on SrcIpAddr, DstPortNumber\n | extend Deviation = abs(RecentCount - AvgCount) / AvgCount; // Calculate the deviation\n// Filter for deviations greater than the threshold\nUserBehaviorAnalysis\n | where Deviation > threshold\n | project SrcIpAddr, DstPortNumber, Deviation, Count = RecentCount; // Project the required columns\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"severity": "Medium",
"status": "Available",
"subTechniques": [
"T1021.002"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"LateralMovement"
],
"tags": [
{
"Schema": "ASimNetworkSessions",
"SchemaVersion": "0.2.4"
}
],
"techniques": [
"T1021"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}