Port Scan

let RunTime = 1h;
let StartRunTime = 1d;
let EndRunTime = StartRunTime - RunTime;
let MinimumDifferentPortsThreshold = 100;
let BinTime = 30s;
AzureDiagnostics
| where TimeGenerated  between (ago(StartRunTime) .. ago(EndRunTime))
| where OperationName == "AzureFirewallApplicationRuleLog" or OperationName == "AzureFirewallNetworkRuleLog"
| parse msg_s with * "from " srcip ":" srcport " to " dsturl ":" dstport
| where isnotempty(dsturl) and isnotempty(srcip)
| summarize AlertTimedCountPortsInBinTime = dcount(dstport) by srcip, bin(TimeGenerated, BinTime), dsturl
| where AlertTimedCountPortsInBinTime > MinimumDifferentPortsThreshold
| extend IPCustomEntity = srcip, URLCustomEntity = dsturl

queryPeriod: 1h
version: 1.0.0
relevantTechniques:
- T1046
queryFrequency: 1h
kind: Scheduled
name: Port Scan
id: b2c5907b-1040-4692-9802-9946031017e8
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
  entityType: URL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Port Scan.yaml
severity: Medium
query: |
  let RunTime = 1h;
  let StartRunTime = 1d;
  let EndRunTime = StartRunTime - RunTime;
  let MinimumDifferentPortsThreshold = 100;
  let BinTime = 30s;
  AzureDiagnostics
  | where TimeGenerated  between (ago(StartRunTime) .. ago(EndRunTime))
  | where OperationName == "AzureFirewallApplicationRuleLog" or OperationName == "AzureFirewallNetworkRuleLog"
  | parse msg_s with * "from " srcip ":" srcport " to " dsturl ":" dstport
  | where isnotempty(dsturl) and isnotempty(srcip)
  | summarize AlertTimedCountPortsInBinTime = dcount(dstport) by srcip, bin(TimeGenerated, BinTime), dsturl
  | where AlertTimedCountPortsInBinTime > MinimumDifferentPortsThreshold
  | extend IPCustomEntity = srcip, URLCustomEntity = dsturl  
tactics:
- Discovery
description: |
  'Identifies a source IP scanning multiple open ports on Azure Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.

  Configurable Parameters:

  - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.
  - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100.'  
requiredDataConnectors:
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
status: Available
triggerThreshold: 1
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b2c5907b-1040-4692-9802-9946031017e8')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b2c5907b-1040-4692-9802-9946031017e8')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Port Scan",
        "description": "'Identifies a source IP scanning multiple open ports on Azure Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.\n\nConfigurable Parameters:\n\n- Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.\n- Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let RunTime = 1h;\nlet StartRunTime = 1d;\nlet EndRunTime = StartRunTime - RunTime;\nlet MinimumDifferentPortsThreshold = 100;\nlet BinTime = 30s;\nAzureDiagnostics\n| where TimeGenerated  between (ago(StartRunTime) .. ago(EndRunTime))\n| where OperationName == \"AzureFirewallApplicationRuleLog\" or OperationName == \"AzureFirewallNetworkRuleLog\"\n| parse msg_s with * \"from \" srcip \":\" srcport \" to \" dsturl \":\" dstport\n| where isnotempty(dsturl) and isnotempty(srcip)\n| summarize AlertTimedCountPortsInBinTime = dcount(dstport) by srcip, bin(TimeGenerated, BinTime), dsturl\n| where AlertTimedCountPortsInBinTime > MinimumDifferentPortsThreshold\n| extend IPCustomEntity = srcip, URLCustomEntity = dsturl\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 1,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1046"
        ],
        "alertRuleTemplateName": "b2c5907b-1040-4692-9802-9946031017e8",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "URLCustomEntity"
              }
            ],
            "entityType": "URL"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Port Scan.yaml",
        "status": "Available",
        "templateVersion": "1.0.0"
      }
    }
  ]
}