Remote Desktop Network Brute force ASIM Network Session schema
Id | b7dc801e-1e79-48bb-91e8-2229a8e6d40b |
Rulename | Remote Desktop Network Brute force (ASIM Network Session schema) |
Description | This detection identifies RDP application network traffic and filters any source/destination pair generating more than 25 events hard threshold. |
Severity | Medium |
Tactics | CredentialAccess |
Techniques | T1110 |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/Remote Desktop Network Brute force (ASIM Network Session schema).yaml |
Version | 1.0.0 |
Arm template | b7dc801e-1e79-48bb-91e8-2229a8e6d40b.json |
// Start of the query and Filter events that resulted in failure
_Im_NetworkSession(eventresult="Failure")
// Filter out private source IP addresses and focus on specific destination port (3389)
// Also, ensure that the source and destination IP addresses are not the same
| where not(ipv4_is_private(SrcIpAddr)) and tostring(DstPortNumber) has_any ("3389") and SrcIpAddr != DstIpAddr
// Summarize the data by source and destination IP addresses, destination port number, network protocol, and event result
// Also, bin the time generated in 5-minute intervals
// Calculate the minimum and maximum time generated, the sum of event counts, and a set of up to 10 event vendors
| summarize Starttime= min(TimeGenerated),EndTime= max(TimeGenerated),TargettedIPs=dcount(DstIpAddr),Eventscount=sum(EventCount),EventVendors=make_set(EventVendor,10) by SrcIpAddr,DstPortNumber,EventResult, bin(TimeGenerated, 5m)
// Filter the summarized data to include only those with an event count of 25 or more
| where Eventscount >= 25
status: Available
queryFrequency: 1h
description: |
'This detection identifies RDP application network traffic and filters any source/destination pair generating more than 25 events hard threshold.'
severity: Medium
version: 1.0.0
relevantTechniques:
- T1110
kind: Scheduled
name: Remote Desktop Network Brute force (ASIM Network Session schema)
triggerThreshold: 0
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |
// Start of the query and Filter events that resulted in failure
_Im_NetworkSession(eventresult="Failure")
// Filter out private source IP addresses and focus on specific destination port (3389)
// Also, ensure that the source and destination IP addresses are not the same
| where not(ipv4_is_private(SrcIpAddr)) and tostring(DstPortNumber) has_any ("3389") and SrcIpAddr != DstIpAddr
// Summarize the data by source and destination IP addresses, destination port number, network protocol, and event result
// Also, bin the time generated in 5-minute intervals
// Calculate the minimum and maximum time generated, the sum of event counts, and a set of up to 10 event vendors
| summarize Starttime= min(TimeGenerated),EndTime= max(TimeGenerated),TargettedIPs=dcount(DstIpAddr),Eventscount=sum(EventCount),EventVendors=make_set(EventVendor,10) by SrcIpAddr,DstPortNumber,EventResult, bin(TimeGenerated, 5m)
// Filter the summarized data to include only those with an event count of 25 or more
| where Eventscount >= 25
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/Remote Desktop Network Brute force (ASIM Network Session schema).yaml
requiredDataConnectors: []
tactics:
- CredentialAccess
tags:
- SchemaVersion: 0.2.4
Schema: ASimNetworkSessions
id: b7dc801e-1e79-48bb-91e8-2229a8e6d40b
queryPeriod: 1h
entityMappings:
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b7dc801e-1e79-48bb-91e8-2229a8e6d40b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b7dc801e-1e79-48bb-91e8-2229a8e6d40b')]",
"properties": {
"alertRuleTemplateName": "b7dc801e-1e79-48bb-91e8-2229a8e6d40b",
"customDetails": null,
"description": "'This detection identifies RDP application network traffic and filters any source/destination pair generating more than 25 events hard threshold.'\n",
"displayName": "Remote Desktop Network Brute force (ASIM Network Session schema)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/Remote Desktop Network Brute force (ASIM Network Session schema).yaml",
"query": "// Start of the query and Filter events that resulted in failure\n_Im_NetworkSession(eventresult=\"Failure\")\n// Filter out private source IP addresses and focus on specific destination port (3389)\n// Also, ensure that the source and destination IP addresses are not the same\n| where not(ipv4_is_private(SrcIpAddr)) and tostring(DstPortNumber) has_any (\"3389\") and SrcIpAddr != DstIpAddr\n// Summarize the data by source and destination IP addresses, destination port number, network protocol, and event result\n// Also, bin the time generated in 5-minute intervals\n// Calculate the minimum and maximum time generated, the sum of event counts, and a set of up to 10 event vendors\n| summarize Starttime= min(TimeGenerated),EndTime= max(TimeGenerated),TargettedIPs=dcount(DstIpAddr),Eventscount=sum(EventCount),EventVendors=make_set(EventVendor,10) by SrcIpAddr,DstPortNumber,EventResult, bin(TimeGenerated, 5m)\n// Filter the summarized data to include only those with an event count of 25 or more\n| where Eventscount >= 25\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess"
],
"tags": [
{
"Schema": "ASimNetworkSessions",
"SchemaVersion": "0.2.4"
}
],
"techniques": [
"T1110"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}