Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

PaloAlto - Inbound connection to high risk ports

Back
Idb2dd2dac-51c9-11ec-bf63-0242ac130002
RulenamePaloAlto - Inbound connection to high risk ports
DescriptionDetects inbound connection to high risk ports.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml
Version1.0.3
Arm templateb2dd2dac-51c9-11ec-bf63-0242ac130002.json
Deploy To Azure
let HighRiskPorts = dynamic(['21', '22', '23', '25', '53', '443', '110', '135', '137', '138', '139', '1433', '1434']);
PaloAltoCDLEvent
| where EventResourceId =~ 'TRAFFIC'
| where ipv4_is_private(SrcIpAddr) == false
| where DstPortNumber in (HighRiskPorts)
| extend IPCustomEntity = SrcIpAddr
triggerThreshold: 0
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
severity: Medium
queryFrequency: 1h
id: b2dd2dac-51c9-11ec-bf63-0242ac130002
relevantTechniques:
- T1190
- T1133
queryPeriod: 1h
name: PaloAlto - Inbound connection to high risk ports
status: Available
kind: Scheduled
tactics:
- InitialAccess
triggerOperator: gt
version: 1.0.3
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
description: |
    'Detects inbound connection to high risk ports.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml
query: |
  let HighRiskPorts = dynamic(['21', '22', '23', '25', '53', '443', '110', '135', '137', '138', '139', '1433', '1434']);
  PaloAltoCDLEvent
  | where EventResourceId =~ 'TRAFFIC'
  | where ipv4_is_private(SrcIpAddr) == false
  | where DstPortNumber in (HighRiskPorts)
  | extend IPCustomEntity = SrcIpAddr  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b2dd2dac-51c9-11ec-bf63-0242ac130002')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b2dd2dac-51c9-11ec-bf63-0242ac130002')]",
      "properties": {
        "alertRuleTemplateName": "b2dd2dac-51c9-11ec-bf63-0242ac130002",
        "customDetails": null,
        "description": "'Detects inbound connection to high risk ports.'\n",
        "displayName": "PaloAlto - Inbound connection to high risk ports",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml",
        "query": "let HighRiskPorts = dynamic(['21', '22', '23', '25', '53', '443', '110', '135', '137', '138', '139', '1433', '1434']);\nPaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where ipv4_is_private(SrcIpAddr) == false\n| where DstPortNumber in (HighRiskPorts)\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}