Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

vArmour AppController - SMB Realm Traversal

Back
Ida36de6c3-3198-4d37-92ae-e19e36712c2e
RulenamevArmour AppController - SMB Realm Traversal
DescriptionDetects when SMB traffic crosses Production and Non-Production Realms. Possible network share discovery or lateral tool transfer across realms
SeverityMedium
TacticsDiscovery
LateralMovement
TechniquesT1135
T1570
Required data connectorsCefAma
vArmourAC
vArmourACAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/vArmour Application Controller/Analytic Rules/vArmourApplicationControllerSMBRealmTraversal.yaml
Version1.0.2
Arm templatea36de6c3-3198-4d37-92ae-e19e36712c2e.json
Deploy To Azure
CommonSecurityLog
| where DeviceVendor == "vArmour"
| where DeviceProduct == "AC"
| where Activity == "POLICY_VIOLATION"
| extend PolicyName = extract("(SMB_REALM_TRAVERSAL\\w+{.*})", 1, DeviceCustomString1)
kind: Scheduled
relevantTechniques:
- T1135
- T1570
description: |
    'Detects when SMB traffic crosses Production and Non-Production Realms. Possible network share discovery or lateral tool transfer across realms'
queryPeriod: 1h
queryFrequency: 1h
tactics:
- Discovery
- LateralMovement
name: vArmour AppController - SMB Realm Traversal
requiredDataConnectors:
- connectorId: vArmourAC
  dataTypes:
  - CommonSecurityLog
- connectorId: vArmourACAma
  dataTypes:
  - CommonSecurityLog
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DestinationHostName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIP
triggerThreshold: 0
version: 1.0.2
id: a36de6c3-3198-4d37-92ae-e19e36712c2e
query: |
  CommonSecurityLog
  | where DeviceVendor == "vArmour"
  | where DeviceProduct == "AC"
  | where Activity == "POLICY_VIOLATION"
  | extend PolicyName = extract("(SMB_REALM_TRAVERSAL\\w+{.*})", 1, DeviceCustomString1)  
status: Available
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/vArmour Application Controller/Analytic Rules/vArmourApplicationControllerSMBRealmTraversal.yaml
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a36de6c3-3198-4d37-92ae-e19e36712c2e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a36de6c3-3198-4d37-92ae-e19e36712c2e')]",
      "properties": {
        "alertRuleTemplateName": "a36de6c3-3198-4d37-92ae-e19e36712c2e",
        "customDetails": null,
        "description": "'Detects when SMB traffic crosses Production and Non-Production Realms. Possible network share discovery or lateral tool transfer across realms'\n",
        "displayName": "vArmour AppController - SMB Realm Traversal",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/vArmour Application Controller/Analytic Rules/vArmourApplicationControllerSMBRealmTraversal.yaml",
        "query": "CommonSecurityLog\n| where DeviceVendor == \"vArmour\"\n| where DeviceProduct == \"AC\"\n| where Activity == \"POLICY_VIOLATION\"\n| extend PolicyName = extract(\"(SMB_REALM_TRAVERSAL\\\\w+{.*})\", 1, DeviceCustomString1)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery",
          "LateralMovement"
        ],
        "techniques": [
          "T1135",
          "T1570"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}