Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

PaloAlto - Inbound connection to high risk ports

Back
Idb2dd2dac-51c9-11ec-bf63-0242ac130002
RulenamePaloAlto - Inbound connection to high risk ports
DescriptionDetects inbound connection to high risk ports.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml
Version1.0.3
Arm templateb2dd2dac-51c9-11ec-bf63-0242ac130002.json
Deploy To Azure
let HighRiskPorts = dynamic(['21', '22', '23', '25', '53', '443', '110', '135', '137', '138', '139', '1433', '1434']);
PaloAltoCDLEvent
| where EventResourceId =~ 'TRAFFIC'
| where ipv4_is_private(SrcIpAddr) == false
| where DstPortNumber in (HighRiskPorts)
| extend IPCustomEntity = SrcIpAddr
triggerThreshold: 0
query: |
  let HighRiskPorts = dynamic(['21', '22', '23', '25', '53', '443', '110', '135', '137', '138', '139', '1433', '1434']);
  PaloAltoCDLEvent
  | where EventResourceId =~ 'TRAFFIC'
  | where ipv4_is_private(SrcIpAddr) == false
  | where DstPortNumber in (HighRiskPorts)
  | extend IPCustomEntity = SrcIpAddr  
name: PaloAlto - Inbound connection to high risk ports
tactics:
- InitialAccess
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
kind: Scheduled
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml
severity: Medium
id: b2dd2dac-51c9-11ec-bf63-0242ac130002
version: 1.0.3
description: |
    'Detects inbound connection to high risk ports.'
triggerOperator: gt
relevantTechniques:
- T1190
- T1133
status: Available
queryFrequency: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b2dd2dac-51c9-11ec-bf63-0242ac130002')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b2dd2dac-51c9-11ec-bf63-0242ac130002')]",
      "properties": {
        "alertRuleTemplateName": "b2dd2dac-51c9-11ec-bf63-0242ac130002",
        "customDetails": null,
        "description": "'Detects inbound connection to high risk ports.'\n",
        "displayName": "PaloAlto - Inbound connection to high risk ports",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml",
        "query": "let HighRiskPorts = dynamic(['21', '22', '23', '25', '53', '443', '110', '135', '137', '138', '139', '1433', '1434']);\nPaloAltoCDLEvent\n| where EventResourceId =~ 'TRAFFIC'\n| where ipv4_is_private(SrcIpAddr) == false\n| where DstPortNumber in (HighRiskPorts)\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}