Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

PaloAlto - Inbound connection to high risk ports

Back
Idb2dd2dac-51c9-11ec-bf63-0242ac130002
RulenamePaloAlto - Inbound connection to high risk ports
DescriptionDetects inbound connection to high risk ports.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml
Version1.0.3
Arm templateb2dd2dac-51c9-11ec-bf63-0242ac130002.json
Deploy To Azure
let HighRiskPorts = dynamic(['21', '22', '23', '25', '53', '443', '110', '135', '137', '138', '139', '1433', '1434']);
PaloAltoCDLEvent
| where EventResourceId =~ 'TRAFFIC'
| where ipv4_is_private(SrcIpAddr) == false
| where DstPortNumber in (HighRiskPorts)
| extend IPCustomEntity = SrcIpAddr
relevantTechniques:
- T1190
- T1133
name: PaloAlto - Inbound connection to high risk ports
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
triggerThreshold: 0
id: b2dd2dac-51c9-11ec-bf63-0242ac130002
tactics:
- InitialAccess
version: 1.0.3
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: Medium
status: Available
description: |
    'Detects inbound connection to high risk ports.'
query: |
  let HighRiskPorts = dynamic(['21', '22', '23', '25', '53', '443', '110', '135', '137', '138', '139', '1433', '1434']);
  PaloAltoCDLEvent
  | where EventResourceId =~ 'TRAFFIC'
  | where ipv4_is_private(SrcIpAddr) == false
  | where DstPortNumber in (HighRiskPorts)
  | extend IPCustomEntity = SrcIpAddr  
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b2dd2dac-51c9-11ec-bf63-0242ac130002')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b2dd2dac-51c9-11ec-bf63-0242ac130002')]",
      "properties": {
        "alertRuleTemplateName": "b2dd2dac-51c9-11ec-bf63-0242ac130002",
        "customDetails": null,
        "description": "'Detects inbound connection to high risk ports.'\n",
        "displayName": "PaloAlto - Inbound connection to high risk ports",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml",
        "query": "let HighRiskPorts = dynamic(['21', '22', '23', '25', '53', '443', '110', '135', '137', '138', '139', '1433', '1434']);\nPaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where ipv4_is_private(SrcIpAddr) == false\n| where DstPortNumber in (HighRiskPorts)\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}