let threshold = 5;
OCILogs
| where EventType contains 'vcn.flowlogs'
| where data_action_s =~ 'REJECT'
| where ipv4_is_private(DstIpAddr)
| where ipv4_is_private(SrcIpAddr) == False
| where DstPortNumber == 22
| summarize p_count = dcount(DstIpAddr) by SrcIpAddr, bin(TimeGenerated, 5m)
| where p_count > threshold
| extend IPCustomEntity = SrcIpAddr
triggerThreshold: 0
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
requiredDataConnectors:
- dataTypes:
- OCILogs
connectorId: OracleCloudInfrastructureLogsConnector
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCISSHScan.yaml
name: OCI - SSH scanner
relevantTechniques:
- T1595
status: Available
version: 1.0.1
queryPeriod: 1h
kind: Scheduled
id: e087d4fb-af0b-4e08-a067-b9ba9e5f8840
query: |
let threshold = 5;
OCILogs
| where EventType contains 'vcn.flowlogs'
| where data_action_s =~ 'REJECT'
| where ipv4_is_private(DstIpAddr)
| where ipv4_is_private(SrcIpAddr) == False
| where DstPortNumber == 22
| summarize p_count = dcount(DstIpAddr) by SrcIpAddr, bin(TimeGenerated, 5m)
| where p_count > threshold
| extend IPCustomEntity = SrcIpAddr
description: |
'Detects possible SSH scanning activity.'
queryFrequency: 1h
severity: High
triggerOperator: gt
tactics:
- Reconnaissance
