Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Anomaly in SMB TrafficASIM Network Session schema

Back
Id8717e498-7b5d-4e23-9e7c-fa4913dbfd79
RulenameAnomaly in SMB Traffic(ASIM Network Session schema)
DescriptionThis detection detects abnormal SMB traffic, a file-sharing protocol. By calculating the average deviation of SMB connections over last 14 days, flagging sources exceeding 50 average deviations.
SeverityMedium
TacticsLateralMovement
TechniquesT1021
T1021.002
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/Anomaly in SMB Traffic(ASIM Network Session schema).yaml
Version1.0.0
Arm template8717e498-7b5d-4e23-9e7c-fa4913dbfd79.json
Deploy To Azure
// Define the threshold for deviation
let threshold = 50;
// Define the time range for the baseline data
let starttime = 14d;
let endtime = 1d;
// Define the SMB ports to monitor
let SMBPorts = dynamic(["139", "445"]);
// Get the baseline data for user network sessions and Filter for the defined time range
let userBaseline = _Im_NetworkSession(starttime=ago(starttime), endtime=ago(endtime))
  | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
  | summarize Count = count() by SrcIpAddr, DstPortNumber // Group by source IP and destination port
  | summarize AvgCount = avg(Count) by SrcIpAddr, DstPortNumber; // Calculate the average count
// Get the recent user activity data and Filter for recent activity
let recentUserActivity = _Im_NetworkSession(starttime=ago(endtime))
  | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by SrcIpAddr, DstPortNumber; // Group by source IP and destination port
// Join the baseline and recent activity data
let UserBehaviorAnalysis = userBaseline
  | join kind=inner (recentUserActivity) on SrcIpAddr, DstPortNumber
  | extend Deviation = abs(RecentCount - AvgCount) / AvgCount; // Calculate the deviation
// Filter for deviations greater than the threshold
UserBehaviorAnalysis
  | where Deviation > threshold
  | project SrcIpAddr, DstPortNumber, Deviation, Count = RecentCount; // Project the required columns
severity: Medium
tags:
- Schema: ASimNetworkSessions
  SchemaVersion: 0.2.4
id: 8717e498-7b5d-4e23-9e7c-fa4913dbfd79
queryPeriod: 14d
queryFrequency: 1d
triggerOperator: gt
status: Available
relevantTechniques:
- T1021
- T1021.002
tactics:
- LateralMovement
kind: Scheduled
description: |
    'This detection detects abnormal SMB traffic, a file-sharing protocol. By calculating the average deviation of SMB connections over last 14 days, flagging sources exceeding 50 average deviations.'
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/Anomaly in SMB Traffic(ASIM Network Session schema).yaml
requiredDataConnectors: []
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
query: |
  // Define the threshold for deviation
  let threshold = 50;
  // Define the time range for the baseline data
  let starttime = 14d;
  let endtime = 1d;
  // Define the SMB ports to monitor
  let SMBPorts = dynamic(["139", "445"]);
  // Get the baseline data for user network sessions and Filter for the defined time range
  let userBaseline = _Im_NetworkSession(starttime=ago(starttime), endtime=ago(endtime))
    | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
    | summarize Count = count() by SrcIpAddr, DstPortNumber // Group by source IP and destination port
    | summarize AvgCount = avg(Count) by SrcIpAddr, DstPortNumber; // Calculate the average count
  // Get the recent user activity data and Filter for recent activity
  let recentUserActivity = _Im_NetworkSession(starttime=ago(endtime))
    | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
    | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by SrcIpAddr, DstPortNumber; // Group by source IP and destination port
  // Join the baseline and recent activity data
  let UserBehaviorAnalysis = userBaseline
    | join kind=inner (recentUserActivity) on SrcIpAddr, DstPortNumber
    | extend Deviation = abs(RecentCount - AvgCount) / AvgCount; // Calculate the deviation
  // Filter for deviations greater than the threshold
  UserBehaviorAnalysis
    | where Deviation > threshold
    | project SrcIpAddr, DstPortNumber, Deviation, Count = RecentCount; // Project the required columns  
version: 1.0.0
name: Anomaly in SMB Traffic(ASIM Network Session schema)
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8717e498-7b5d-4e23-9e7c-fa4913dbfd79')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8717e498-7b5d-4e23-9e7c-fa4913dbfd79')]",
      "properties": {
        "alertRuleTemplateName": "8717e498-7b5d-4e23-9e7c-fa4913dbfd79",
        "customDetails": null,
        "description": "'This detection detects abnormal SMB traffic, a file-sharing protocol. By calculating the average deviation of SMB connections over last 14 days, flagging sources exceeding 50 average deviations.'\n",
        "displayName": "Anomaly in SMB Traffic(ASIM Network Session schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/Anomaly in SMB Traffic(ASIM Network Session schema).yaml",
        "query": "// Define the threshold for deviation\nlet threshold = 50;\n// Define the time range for the baseline data\nlet starttime = 14d;\nlet endtime = 1d;\n// Define the SMB ports to monitor\nlet SMBPorts = dynamic([\"139\", \"445\"]);\n// Get the baseline data for user network sessions and Filter for the defined time range\nlet userBaseline = _Im_NetworkSession(starttime=ago(starttime), endtime=ago(endtime))\n  | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports\n  | summarize Count = count() by SrcIpAddr, DstPortNumber // Group by source IP and destination port\n  | summarize AvgCount = avg(Count) by SrcIpAddr, DstPortNumber; // Calculate the average count\n// Get the recent user activity data and Filter for recent activity\nlet recentUserActivity = _Im_NetworkSession(starttime=ago(endtime))\n  | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports\n  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by SrcIpAddr, DstPortNumber; // Group by source IP and destination port\n// Join the baseline and recent activity data\nlet UserBehaviorAnalysis = userBaseline\n  | join kind=inner (recentUserActivity) on SrcIpAddr, DstPortNumber\n  | extend Deviation = abs(RecentCount - AvgCount) / AvgCount; // Calculate the deviation\n// Filter for deviations greater than the threshold\nUserBehaviorAnalysis\n  | where Deviation > threshold\n  | project SrcIpAddr, DstPortNumber, Deviation, Count = RecentCount; // Project the required columns\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [
          "T1021.002"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "tags": [
          {
            "Schema": "ASimNetworkSessions",
            "SchemaVersion": "0.2.4"
          }
        ],
        "techniques": [
          "T1021"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}