Port Scan

let MinimumDifferentPortsThreshold = 100;
let BinTime = 30s;
// Exclude known benign scanner IPs in your environment to reduce noise
let KnownScannerIPs = dynamic([]); 
union isfuzzy=true(
AZFWApplicationRule
| where SourceIp !in (KnownScannerIPs)
| summarize AlertTimedCountPortsInBinTime = dcount(DestinationPort) by SourceIp, bin(TimeGenerated, BinTime), Fqdn
| where AlertTimedCountPortsInBinTime > MinimumDifferentPortsThreshold),
(AZFWNetworkRule
| where SourceIp !in (KnownScannerIPs)
| extend Fqdn = DestinationIp
| summarize AlertTimedCountPortsInBinTime = dcount(DestinationPort) by SourceIp, bin(TimeGenerated, BinTime), Fqdn
| where AlertTimedCountPortsInBinTime > MinimumDifferentPortsThreshold),
(AzureDiagnostics
| where OperationName == "AzureFirewallApplicationRuleLog" or OperationName == "AzureFirewallNetworkRuleLog"
| parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int *
| where isnotempty(Fqdn) and isnotempty(SourceIp)
| where SourceIp !in (KnownScannerIPs) 
| summarize AlertTimedCountPortsInBinTime = dcount(DestinationPort) by SourceIp, bin(TimeGenerated, BinTime), Fqdn
| where AlertTimedCountPortsInBinTime > MinimumDifferentPortsThreshold)

status: Available
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
query: |
  let MinimumDifferentPortsThreshold = 100;
  let BinTime = 30s;
  // Exclude known benign scanner IPs in your environment to reduce noise
  let KnownScannerIPs = dynamic([]); 
  union isfuzzy=true(
  AZFWApplicationRule
  | where SourceIp !in (KnownScannerIPs)
  | summarize AlertTimedCountPortsInBinTime = dcount(DestinationPort) by SourceIp, bin(TimeGenerated, BinTime), Fqdn
  | where AlertTimedCountPortsInBinTime > MinimumDifferentPortsThreshold),
  (AZFWNetworkRule
  | where SourceIp !in (KnownScannerIPs)
  | extend Fqdn = DestinationIp
  | summarize AlertTimedCountPortsInBinTime = dcount(DestinationPort) by SourceIp, bin(TimeGenerated, BinTime), Fqdn
  | where AlertTimedCountPortsInBinTime > MinimumDifferentPortsThreshold),
  (AzureDiagnostics
  | where OperationName == "AzureFirewallApplicationRuleLog" or OperationName == "AzureFirewallNetworkRuleLog"
  | parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int *
  | where isnotempty(Fqdn) and isnotempty(SourceIp)
  | where SourceIp !in (KnownScannerIPs) 
  | summarize AlertTimedCountPortsInBinTime = dcount(DestinationPort) by SourceIp, bin(TimeGenerated, BinTime), Fqdn
  | where AlertTimedCountPortsInBinTime > MinimumDifferentPortsThreshold)  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Port Scan.yaml
tactics:
- Discovery
- Reconnaissance
triggerThreshold: 0
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIp
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: Fqdn
requiredDataConnectors:
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
  - AZFWApplicationRule
  - AZFWNetworkRule
alertDetailsOverride:
  alertDescriptionFormat: Source IP {{SourceIp}} has scanned {{AlertTimedCountPortsInBinTime}} different ports within a short time frame, which may indicate reconnaissance activity.
  alertDisplayNameFormat: Port Scan Detected from {{SourceIp}}
relevantTechniques:
- T1046
- T1595.001
description: |
  'Identifies a source IP scanning multiple open ports on Azure Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.

  Configurable Parameters:

  - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.
  - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100.'  
name: Port Scan
version: 1.1.3
kind: Scheduled
id: b2c5907b-1040-4692-9802-9946031017e8
severity: Medium