Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Abnormal Deny Rate for Source IP

Back
Idd36bb1e3-5abc-4037-ad9a-24ba3469819e
RulenameAbnormal Deny Rate for Source IP
DescriptionIdentifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access or C2, where attacker tries to exploit the same vulnerability on machines in the organization, but is being blocked by firewall rules.



Configurable Parameters:



- Minimum of stds threshold - the number of stds to use in the threshold calculation. Default is set to 3.

- Learning period time - learning period for threshold calculation in days. Default is set to 5.

- Bin time - learning buckets time in hours. Default is set to 1 hour.

- Minimum threshold - minimum threshold for alert. Default is set to 5.

- Minimum bucket threshold - minimum learning buckets threshold for alert. Default is set to 5.
SeverityMedium
TacticsInitialAccess
Exfiltration
CommandAndControl
TechniquesT1190
T1041
T1568
Required data connectorsAzureFirewall
KindScheduled
Query frequency1h
Query period25h
Trigger threshold1
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Abnormal Deny Rate for Source IP.yaml
Version1.1.2
Arm templated36bb1e3-5abc-4037-ad9a-24ba3469819e.json
Deploy To Azure
let LearningPeriod = 1d;
let RunTime = 1h;
let StartLearningPeriod = LearningPeriod + RunTime;
let EndRunTime = RunTime - 1h;
let BinTime = 1h;
let NumOfStdsThreshold = 3;
let MinThreshold = 5.0;
let MinLearningBuckets = 5;
let TrafficLogs = (union isfuzzy=true
(AzureDiagnostics
| where OperationName == "AzureFirewallApplicationRuleLog" or OperationName == "AzureFirewallNetworkRuleLog" 
| parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int ". " * "Action: " Action "." *
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWNetworkRule
| extend Fqdn = DestinationIp
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWFlowTrace
| extend Fqdn = DestinationIp
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWIdpsSignature
| extend Fqdn = DestinationIp
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWApplicationRule
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)));
let LearningSrcIpDenyRate = (TrafficLogs
| where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime))
| summarize count() by SourceIp, bin(TimeGenerated, BinTime), Fqdn
| summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, Fqdn
| where LearningTimeBuckets > MinLearningBuckets);
let AlertTimeSrcIpDenyRate = (TrafficLogs
| where TimeGenerated between (ago(RunTime) .. ago(EndRunTime))
| summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp);
AlertTimeSrcIpDenyRate
| join kind=leftouter (LearningSrcIpDenyRate) on SourceIp
| extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)
| where AlertTimeSrcIpDenyRateCount > LearningThreshold
| project-away SourceIp1, LearningTimeSrcIpDenyRateAvg, LearningTimeSrcIpDenyRateStd
status: Available
queryFrequency: 1h
description: |
  'Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access or C2, where attacker tries to exploit the same vulnerability on machines in the organization, but is being blocked by firewall rules.

  Configurable Parameters:

  - Minimum of stds threshold - the number of stds to use in the threshold calculation. Default is set to 3.
  - Learning period time - learning period for threshold calculation in days. Default is set to 5.
  - Bin time - learning buckets time in hours. Default is set to 1 hour.
  - Minimum threshold - minimum threshold for alert. Default is set to 5.
  - Minimum bucket threshold - minimum learning buckets threshold for alert. Default is set to 5.'  
severity: Medium
version: 1.1.2
relevantTechniques:
- T1190
- T1041
- T1568
name: Abnormal Deny Rate for Source IP
triggerThreshold: 1
kind: Scheduled
query: |
  let LearningPeriod = 1d;
  let RunTime = 1h;
  let StartLearningPeriod = LearningPeriod + RunTime;
  let EndRunTime = RunTime - 1h;
  let BinTime = 1h;
  let NumOfStdsThreshold = 3;
  let MinThreshold = 5.0;
  let MinLearningBuckets = 5;
  let TrafficLogs = (union isfuzzy=true
  (AzureDiagnostics
  | where OperationName == "AzureFirewallApplicationRuleLog" or OperationName == "AzureFirewallNetworkRuleLog" 
  | parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int ". " * "Action: " Action "." *
  | where Action == "Deny"
  | where isnotempty(Fqdn) and isnotempty(SourceIp)),
  (AZFWNetworkRule
  | extend Fqdn = DestinationIp
  | where Action == "Deny"
  | where isnotempty(Fqdn) and isnotempty(SourceIp)),
  (AZFWFlowTrace
  | extend Fqdn = DestinationIp
  | where Action == "Deny"
  | where isnotempty(Fqdn) and isnotempty(SourceIp)),
  (AZFWIdpsSignature
  | extend Fqdn = DestinationIp
  | where Action == "Deny"
  | where isnotempty(Fqdn) and isnotempty(SourceIp)),
  (AZFWApplicationRule
  | where Action == "Deny"
  | where isnotempty(Fqdn) and isnotempty(SourceIp)));
  let LearningSrcIpDenyRate = (TrafficLogs
  | where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime))
  | summarize count() by SourceIp, bin(TimeGenerated, BinTime), Fqdn
  | summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, Fqdn
  | where LearningTimeBuckets > MinLearningBuckets);
  let AlertTimeSrcIpDenyRate = (TrafficLogs
  | where TimeGenerated between (ago(RunTime) .. ago(EndRunTime))
  | summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp);
  AlertTimeSrcIpDenyRate
  | join kind=leftouter (LearningSrcIpDenyRate) on SourceIp
  | extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)
  | where AlertTimeSrcIpDenyRateCount > LearningThreshold
  | project-away SourceIp1, LearningTimeSrcIpDenyRateAvg, LearningTimeSrcIpDenyRateStd  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Abnormal Deny Rate for Source IP.yaml
requiredDataConnectors:
- connectorId: AzureFirewall
  dataTypes:
  - AzureDiagnostics
  - AZFWApplicationRule
  - AZFWNetworkRule
  - AZFWFlowTrace
  - AZFWIdpsSignature
tactics:
- InitialAccess
- Exfiltration
- CommandAndControl
id: d36bb1e3-5abc-4037-ad9a-24ba3469819e
queryPeriod: 25h
entityMappings:
- fieldMappings:
  - columnName: SourceIp
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: Fqdn
    identifier: Url
  entityType: URL
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d36bb1e3-5abc-4037-ad9a-24ba3469819e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d36bb1e3-5abc-4037-ad9a-24ba3469819e')]",
      "properties": {
        "alertRuleTemplateName": "d36bb1e3-5abc-4037-ad9a-24ba3469819e",
        "customDetails": null,
        "description": "'Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access or C2, where attacker tries to exploit the same vulnerability on machines in the organization, but is being blocked by firewall rules.\n\nConfigurable Parameters:\n\n- Minimum of stds threshold - the number of stds to use in the threshold calculation. Default is set to 3.\n- Learning period time - learning period for threshold calculation in days. Default is set to 5.\n- Bin time - learning buckets time in hours. Default is set to 1 hour.\n- Minimum threshold - minimum threshold for alert. Default is set to 5.\n- Minimum bucket threshold - minimum learning buckets threshold for alert. Default is set to 5.'\n",
        "displayName": "Abnormal Deny Rate for Source IP",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Fqdn",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Abnormal Deny Rate for Source IP.yaml",
        "query": "let LearningPeriod = 1d;\nlet RunTime = 1h;\nlet StartLearningPeriod = LearningPeriod + RunTime;\nlet EndRunTime = RunTime - 1h;\nlet BinTime = 1h;\nlet NumOfStdsThreshold = 3;\nlet MinThreshold = 5.0;\nlet MinLearningBuckets = 5;\nlet TrafficLogs = (union isfuzzy=true\n(AzureDiagnostics\n| where OperationName == \"AzureFirewallApplicationRuleLog\" or OperationName == \"AzureFirewallNetworkRuleLog\" \n| parse msg_s with * \"from \" SourceIp \":\" SourcePort:int \" to \" Fqdn \":\" DestinationPort:int \". \" * \"Action: \" Action \".\" *\n| where Action == \"Deny\"\n| where isnotempty(Fqdn) and isnotempty(SourceIp)),\n(AZFWNetworkRule\n| extend Fqdn = DestinationIp\n| where Action == \"Deny\"\n| where isnotempty(Fqdn) and isnotempty(SourceIp)),\n(AZFWFlowTrace\n| extend Fqdn = DestinationIp\n| where Action == \"Deny\"\n| where isnotempty(Fqdn) and isnotempty(SourceIp)),\n(AZFWIdpsSignature\n| extend Fqdn = DestinationIp\n| where Action == \"Deny\"\n| where isnotempty(Fqdn) and isnotempty(SourceIp)),\n(AZFWApplicationRule\n| where Action == \"Deny\"\n| where isnotempty(Fqdn) and isnotempty(SourceIp)));\nlet LearningSrcIpDenyRate = (TrafficLogs\n| where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime))\n| summarize count() by SourceIp, bin(TimeGenerated, BinTime), Fqdn\n| summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, Fqdn\n| where LearningTimeBuckets > MinLearningBuckets);\nlet AlertTimeSrcIpDenyRate = (TrafficLogs\n| where TimeGenerated between (ago(RunTime) .. ago(EndRunTime))\n| summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp);\nAlertTimeSrcIpDenyRate\n| join kind=leftouter (LearningSrcIpDenyRate) on SourceIp\n| extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)\n| where AlertTimeSrcIpDenyRateCount > LearningThreshold\n| project-away SourceIp1, LearningTimeSrcIpDenyRateAvg, LearningTimeSrcIpDenyRateStd\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT25H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1041",
          "T1190",
          "T1568"
        ],
        "templateVersion": "1.1.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 1
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}