Network Port Sweep from External Network ASIM Network Session schema

Back


Id	cd8faa84-4464-4b4e-96dc-b22f50c27541
Rulename	Network Port Sweep from External Network (ASIM Network Session schema)
Description	This detection rule detects scenarios when a particular port is being scanned by multiple external sources. The rule utilize ASIM normalization, and is applied to any source which supports the ASIM Network Session schema.
Severity	High
Tactics	Reconnaissance Discovery
Techniques	T1590 T1046
Required data connectors	AIVectraStream AWSS3 AzureFirewall AzureMonitor(VMInsights) AzureNSG CheckPoint CiscoASA CiscoAsaAma CiscoMeraki Corelight Fortinet MicrosoftSysmonForLinux MicrosoftThreatProtection PaloAltoNetworks SecurityEvents WindowsForwardedEvents WindowsSecurityEvents Zscaler
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/NetworkPortSweepFromExternalNetwork.yaml
Version	1.0.5
Arm template	cd8faa84-4464-4b4e-96dc-b22f50c27541.json

KQL

let lookback = 1h;
let threshold = 20;
_Im_NetworkSession(starttime=ago(lookback),endtime=now())
| where NetworkDirection == "Inbound"
| summarize make_set(DstIpAddr,100) by SrcIpAddr, DstPortNumber
| where array_length(set_DstIpAddr) > threshold

YAML

alertDetailsOverride:
  alertDescriptionFormat: Network Port Sweep was detection by multiple IPs
  alertDisplayNameFormat: Network Port Sweep detected on {{DstPortNumber}}
description: |
    'This detection rule detects scenarios when a particular port is being scanned by multiple external sources. The rule utilize [ASIM](https://aka.ms/AboutASIM) normalization, and is applied to any source which supports the ASIM Network Session schema.'
kind: Scheduled
tactics:
- Reconnaissance
- Discovery
requiredDataConnectors:
- connectorId: AWSS3
  dataTypes:
  - AWSVPCFlow
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
- connectorId: MicrosoftSysmonForLinux
  dataTypes:
  - Syslog
- connectorId: PaloAltoNetworks
  dataTypes:
  - CommonSecurityLog
- connectorId: AzureMonitor(VMInsights)
  dataTypes:
  - VMConnection
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
- connectorId: AzureNSG
  dataTypes:
  - AzureDiagnostics
- connectorId: CiscoASA
  dataTypes:
  - CommonSecurityLog
- connectorId: CiscoAsaAma
  dataTypes:
  - CommonSecurityLog
- connectorId: Corelight
  dataTypes:
  - Corelight_CL
- connectorId: AIVectraStream
  dataTypes:
  - VectraStream
- connectorId: CheckPoint
  dataTypes:
  - CommonSecurityLog
- connectorId: Fortinet
  dataTypes:
  - CommonSecurityLog
- connectorId: CiscoMeraki
  dataTypes:
  - Syslog
  - CiscoMerakiNativePoller
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/NetworkPortSweepFromExternalNetwork.yaml
severity: High
name: Network Port Sweep from External Network (ASIM Network Session schema)
customDetails:
  AllDstIpAddr: set_DstIpAddr
triggerThreshold: 0
queryPeriod: 1h
query: |
  let lookback = 1h;
  let threshold = 20;
  _Im_NetworkSession(starttime=ago(lookback),endtime=now())
  | where NetworkDirection == "Inbound"
  | summarize make_set(DstIpAddr,100) by SrcIpAddr, DstPortNumber
  | where array_length(set_DstIpAddr) > threshold  
relevantTechniques:
- T1590
- T1046
id: cd8faa84-4464-4b4e-96dc-b22f50c27541
queryFrequency: 1h
status: Available
version: 1.0.5
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: SingleAlert
tags:
- Schema: ASimNetworkSessions
  SchemaVersion: 0.2.4

ARM