Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Network Port Sweep from External Network ASIM Network Session schema

Back
Idcd8faa84-4464-4b4e-96dc-b22f50c27541
RulenameNetwork Port Sweep from External Network (ASIM Network Session schema)
DescriptionThis detection rule detects scenarios when a particular port is being scanned by multiple external sources. The rule utilize ASIM normalization, and is applied to any source which supports the ASIM Network Session schema.
SeverityHigh
TacticsDiscovery
Required data connectorsAIVectraStream
AWSS3
AzureFirewall
AzureMonitor(VMInsights)
AzureNSG
CheckPoint
CiscoASA
CiscoMeraki
Corelight
Fortinet
MicrosoftSysmonForLinux
MicrosoftThreatProtection
PaloAltoNetworks
SecurityEvents
WindowsForwardedEvents
Zscaler
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/NetworkPortSweepFromExternalNetwork.yaml
Version1.0.2
Arm templatecd8faa84-4464-4b4e-96dc-b22f50c27541.json
Deploy To Azure
let lookback = 1h;
let threshold = 20;
_Im_NetworkSession(starttime=ago(lookback),endtime=now())
| where NetworkDirection == "Inbound"
| summarize make_set(DstIpAddr,100) by DstPortNumber
| where array_length(set_DstIpAddr) > threshold
alertDetailsOverride:
  alertDisplayNameFormat: Network Port Sweep detected on {{DstPortNumber}}
  alertDescriptionFormat: Network Port Sweep was detection by multiple IPs
triggerOperator: gt
tactics:
- Discovery
queryPeriod: 1h
kind: Scheduled
relevantTechniques: 
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/NetworkPortSweepFromExternalNetwork.yaml
eventGroupingSettings:
  aggregationKind: SingleAlert
name: Network Port Sweep from External Network (ASIM Network Session schema)
customDetails:
  AllDstIpAddr: set_DstIpAddr
description: |
    'This detection rule detects scenarios when a particular port is being scanned by multiple external sources. The rule utilize [ASIM](https://aka.ms/AboutASIM) normalization, and is applied to any source which supports the ASIM Network Session schema.'
version: 1.0.2
queryFrequency: 1h
tags:
- SchemaVersion: 0.2.4
  Schema: ASimNetworkSessions
triggerThreshold: 0
severity: High
id: cd8faa84-4464-4b4e-96dc-b22f50c27541
status: Available
requiredDataConnectors:
- dataTypes:
  - AWSVPCFlow
  connectorId: AWSS3
- dataTypes:
  - DeviceNetworkEvents
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - WindowsEvent
  connectorId: WindowsForwardedEvents
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - Syslog
  connectorId: MicrosoftSysmonForLinux
- dataTypes:
  - CommonSecurityLog
  connectorId: PaloAltoNetworks
- dataTypes:
  - VMConnection
  connectorId: AzureMonitor(VMInsights)
- dataTypes:
  - AzureDiagnostics
  connectorId: AzureFirewall
- dataTypes:
  - AzureDiagnostics
  connectorId: AzureNSG
- dataTypes:
  - CommonSecurityLog
  connectorId: CiscoASA
- dataTypes:
  - Corelight_CL
  connectorId: Corelight
- dataTypes:
  - VectraStream
  connectorId: AIVectraStream
- dataTypes:
  - CommonSecurityLog
  connectorId: CheckPoint
- dataTypes:
  - CommonSecurityLog
  connectorId: Fortinet
- dataTypes:
  - Syslog
  - CiscoMerakiNativePoller
  connectorId: CiscoMeraki
query: |
  let lookback = 1h;
  let threshold = 20;
  _Im_NetworkSession(starttime=ago(lookback),endtime=now())
  | where NetworkDirection == "Inbound"
  | summarize make_set(DstIpAddr,100) by DstPortNumber
  | where array_length(set_DstIpAddr) > threshold  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cd8faa84-4464-4b4e-96dc-b22f50c27541')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cd8faa84-4464-4b4e-96dc-b22f50c27541')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Network Port Sweep was detection by multiple IPs",
          "alertDisplayNameFormat": "Network Port Sweep detected on {{DstPortNumber}}"
        },
        "alertRuleTemplateName": "cd8faa84-4464-4b4e-96dc-b22f50c27541",
        "customDetails": {
          "AllDstIpAddr": "set_DstIpAddr"
        },
        "description": "'This detection rule detects scenarios when a particular port is being scanned by multiple external sources. The rule utilize [ASIM](https://aka.ms/AboutASIM) normalization, and is applied to any source which supports the ASIM Network Session schema.'\n",
        "displayName": "Network Port Sweep from External Network (ASIM Network Session schema)",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network Session Essentials/Analytic Rules/NetworkPortSweepFromExternalNetwork.yaml",
        "query": "let lookback = 1h;\nlet threshold = 20;\n_Im_NetworkSession(starttime=ago(lookback),endtime=now())\n| where NetworkDirection == \"Inbound\"\n| summarize make_set(DstIpAddr,100) by DstPortNumber\n| where array_length(set_DstIpAddr) > threshold\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "tags": [
          {
            "Schema": "ASimNetworkSessions",
            "SchemaVersion": "0.2.4"
          }
        ],
        "techniques": null,
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}