Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

PaloAlto - Inbound connection to high risk ports

Back
Idb2dd2dac-51c9-11ec-bf63-0242ac130002
RulenamePaloAlto - Inbound connection to high risk ports
DescriptionDetects inbound connection to high risk ports.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsPaloAltoCDL
PaloAltoCDLAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml
Version1.0.1
Arm templateb2dd2dac-51c9-11ec-bf63-0242ac130002.json
Deploy To Azure
let HighRiskPorts = dynamic(['21', '22', '23', '25', '53', '443', '110', '135', '137', '138', '139', '1433', '1434']);
PaloAltoCDLEvent
| where EventResourceId =~ 'TRAFFIC'
| where ipv4_is_private(SrcIpAddr) == false
| where DstPortNumber in (HighRiskPorts)
| extend IPCustomEntity = SrcIpAddr
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml
id: b2dd2dac-51c9-11ec-bf63-0242ac130002
name: PaloAlto - Inbound connection to high risk ports
query: |
  let HighRiskPorts = dynamic(['21', '22', '23', '25', '53', '443', '110', '135', '137', '138', '139', '1433', '1434']);
  PaloAltoCDLEvent
  | where EventResourceId =~ 'TRAFFIC'
  | where ipv4_is_private(SrcIpAddr) == false
  | where DstPortNumber in (HighRiskPorts)
  | extend IPCustomEntity = SrcIpAddr  
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
queryPeriod: 1h
triggerThreshold: 0
tactics:
- InitialAccess
version: 1.0.1
kind: Scheduled
relevantTechniques:
- T1190
- T1133
queryFrequency: 1h
status: Available
requiredDataConnectors:
- dataTypes:
  - PaloAltoCDLEvent
  connectorId: PaloAltoCDL
- dataTypes:
  - PaloAltoCDLEvent
  connectorId: PaloAltoCDLAma
description: |
    'Detects inbound connection to high risk ports.'
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b2dd2dac-51c9-11ec-bf63-0242ac130002')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b2dd2dac-51c9-11ec-bf63-0242ac130002')]",
      "properties": {
        "alertRuleTemplateName": "b2dd2dac-51c9-11ec-bf63-0242ac130002",
        "customDetails": null,
        "description": "'Detects inbound connection to high risk ports.'\n",
        "displayName": "PaloAlto - Inbound connection to high risk ports",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml",
        "query": "let HighRiskPorts = dynamic(['21', '22', '23', '25', '53', '443', '110', '135', '137', '138', '139', '1433', '1434']);\nPaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where ipv4_is_private(SrcIpAddr) == false\n| where DstPortNumber in (HighRiskPorts)\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}