Abnormal Deny Rate for Source IP
| Id | d36bb1e3-5abc-4037-ad9a-24ba3469819e |
| Rulename | Abnormal Deny Rate for Source IP |
| Description | Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access or C2, where attacker tries to exploit the same vulnerability on machines in the organization, but is being blocked by firewall rules. Configurable Parameters: - Minimum of stds threshold - the number of stds to use in the threshold calculation. Default is set to 3. - Learning period time - learning period for threshold calculation in days. Default is set to 5. - Bin time - learning buckets time in hours. Default is set to 1 hour. - Minimum threshold - minimum threshold for alert. Default is set to 5. - Minimum bucket threshold - minimum learning buckets threshold for alert. Default is set to 5. |
| Severity | Medium |
| Tactics | InitialAccess Exfiltration CommandAndControl Discovery |
| Techniques | T1190 T1041 T1568.001 T1568.002 T1046 |
| Required data connectors | AzureFirewall |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 25h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Abnormal Deny Rate for Source IP.yaml |
| Version | 1.1.3 |
| Arm template | d36bb1e3-5abc-4037-ad9a-24ba3469819e.json |
let LearningPeriod = 1d;
let RunTime = 1h;
let StartLearningPeriod = LearningPeriod + RunTime;
let EndRunTime = RunTime - 1h;
let BinTime = 1h;
let NumOfStdsThreshold = 3;
let MinThreshold = 5.0;
let MinLearningBuckets = 5;
// Restrict unioned tables to the full analysis window to avoid full-table scans
let FullWindowStart = ago(StartLearningPeriod);
let FullWindowEnd = now();
let TrafficLogs = (union isfuzzy=true
(AzureDiagnostics
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
| where OperationName == "AzureFirewallApplicationRuleLog" or OperationName == "AzureFirewallNetworkRuleLog"
| parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int ". " * "Action: " Action "." *
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWNetworkRule
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
| extend Fqdn = DestinationIp
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWFlowTrace
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
| extend Fqdn = DestinationIp
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWIdpsSignature
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
| extend Fqdn = DestinationIp
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWApplicationRule
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)));
let LearningSrcIpDenyRate = (TrafficLogs
| where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime))
| summarize count() by SourceIp, bin(TimeGenerated, BinTime), Fqdn
| summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, Fqdn
| where LearningTimeBuckets > MinLearningBuckets);
let AlertTimeSrcIpDenyRate = (TrafficLogs
| where TimeGenerated between (ago(RunTime) .. ago(EndRunTime))
| summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, Fqdn);
AlertTimeSrcIpDenyRate
| join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, Fqdn
| extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)
| where AlertTimeSrcIpDenyRateCount > LearningThreshold
| project SourceIp, Fqdn, AlertTimeSrcIpDenyRateCount, LearningTimeBuckets, LearningThreshold
relevantTechniques:
- T1190
- T1041
- T1568.001
- T1568.002
- T1046
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceIp
identifier: Address
- entityType: URL
fieldMappings:
- columnName: Fqdn
identifier: Url
version: 1.1.3
id: d36bb1e3-5abc-4037-ad9a-24ba3469819e
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
'Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access or C2, where attacker tries to exploit the same vulnerability on machines in the organization, but is being blocked by firewall rules.
Configurable Parameters:
- Minimum of stds threshold - the number of stds to use in the threshold calculation. Default is set to 3.
- Learning period time - learning period for threshold calculation in days. Default is set to 5.
- Bin time - learning buckets time in hours. Default is set to 1 hour.
- Minimum threshold - minimum threshold for alert. Default is set to 5.
- Minimum bucket threshold - minimum learning buckets threshold for alert. Default is set to 5.'
requiredDataConnectors:
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- AZFWApplicationRule
- AZFWNetworkRule
- AZFWFlowTrace
- AZFWIdpsSignature
triggerOperator: gt
name: Abnormal Deny Rate for Source IP
tactics:
- InitialAccess
- Exfiltration
- CommandAndControl
- Discovery
alertDetailsOverride:
alertDescriptionFormat: |
The source IP {{SourceIp}} has an abnormal deny rate to destination {{Fqdn}} with {{AlertTimeSrcIpDenyRateCount}} denies, which is above the calculated threshold. This could indicate potential exfiltration, initial access or C2 activities.
alertDisplayNameFormat: Abnormal Deny Rate for Source IP {{SourceIp}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Firewall/Analytic Rules/Azure Firewall - Abnormal Deny Rate for Source IP.yaml
triggerThreshold: 0
queryPeriod: 25h
query: |
let LearningPeriod = 1d;
let RunTime = 1h;
let StartLearningPeriod = LearningPeriod + RunTime;
let EndRunTime = RunTime - 1h;
let BinTime = 1h;
let NumOfStdsThreshold = 3;
let MinThreshold = 5.0;
let MinLearningBuckets = 5;
// Restrict unioned tables to the full analysis window to avoid full-table scans
let FullWindowStart = ago(StartLearningPeriod);
let FullWindowEnd = now();
let TrafficLogs = (union isfuzzy=true
(AzureDiagnostics
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
| where OperationName == "AzureFirewallApplicationRuleLog" or OperationName == "AzureFirewallNetworkRuleLog"
| parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int ". " * "Action: " Action "." *
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWNetworkRule
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
| extend Fqdn = DestinationIp
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWFlowTrace
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
| extend Fqdn = DestinationIp
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWIdpsSignature
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
| extend Fqdn = DestinationIp
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWApplicationRule
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)));
let LearningSrcIpDenyRate = (TrafficLogs
| where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime))
| summarize count() by SourceIp, bin(TimeGenerated, BinTime), Fqdn
| summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, Fqdn
| where LearningTimeBuckets > MinLearningBuckets);
let AlertTimeSrcIpDenyRate = (TrafficLogs
| where TimeGenerated between (ago(RunTime) .. ago(EndRunTime))
| summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, Fqdn);
AlertTimeSrcIpDenyRate
| join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, Fqdn
| extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)
| where AlertTimeSrcIpDenyRateCount > LearningThreshold
| project SourceIp, Fqdn, AlertTimeSrcIpDenyRateCount, LearningTimeBuckets, LearningThreshold
status: Available
customDetails:
Threshold: LearningThreshold
AlertCount: AlertTimeSrcIpDenyRateCount