Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GSA - Detect Abnormal Deny Rate for Source to Destination IP

GSA - Detect Abnormal Deny Rate for Source to Destination IP

Back
Ide3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b
RulenameGSA - Detect Abnormal Deny Rate for Source to Destination IP
DescriptionIdentifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.
SeverityMedium
TacticsInitialAccess
Exfiltration
CommandAndControl
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1h
Query period25h
Trigger threshold1
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml
Version1.0.1
Arm templatee3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b.json
Deploy To Azure
let NumOfStdsThreshold = 3;
let LearningPeriod = 5d;
let BinTime = 1h;
let MinThreshold = 5.0;
let MinLearningBuckets = 5;
let TrafficLogs = NetworkAccessTraffic
  | where Action == 'Denied'
  | where isnotempty(DestinationIp) and isnotempty(SourceIp);
let LearningSrcIpDenyRate = TrafficLogs
  | where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d))
  | summarize count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp
  | summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp
  | where LearningTimeBuckets > MinLearningBuckets;
let AlertTimeSrcIpDenyRate = TrafficLogs
  | where TimeGenerated between (ago(1h) .. now())
  | summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, DestinationIp;
AlertTimeSrcIpDenyRate
  | join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp
  | extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)
  | where AlertTimeSrcIpDenyRateCount > LearningThreshold
  | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold    

relevantTechniques: []
name: GSA - Detect Abnormal Deny Rate for Source to Destination IP
requiredDataConnectors:
- dataTypes:
  - NetworkAccessTrafficLogs
  connectorId: AzureActiveDirectory
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIp
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: DestinationIp
  entityType: URL
triggerThreshold: 1
id: e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b
tactics:
- InitialAccess
- Exfiltration
- CommandAndControl
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml
queryPeriod: 25h
kind: Scheduled
configurableParameters:
- minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3.
- learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5.
- binTime: Learning buckets time in hours. Default is set to 1 hour.
- minimumThreshold: Minimum threshold for alert. Default is set to 5.
- minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5.
queryFrequency: 1h
severity: Medium
status: Available
description: |
    Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.
query: |
  let NumOfStdsThreshold = 3;
  let LearningPeriod = 5d;
  let BinTime = 1h;
  let MinThreshold = 5.0;
  let MinLearningBuckets = 5;
  let TrafficLogs = NetworkAccessTraffic
    | where Action == 'Denied'
    | where isnotempty(DestinationIp) and isnotempty(SourceIp);
  let LearningSrcIpDenyRate = TrafficLogs
    | where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d))
    | summarize count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp
    | summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp
    | where LearningTimeBuckets > MinLearningBuckets;
  let AlertTimeSrcIpDenyRate = TrafficLogs
    | where TimeGenerated between (ago(1h) .. now())
    | summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, DestinationIp;
  AlertTimeSrcIpDenyRate
    | join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp
    | extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)
    | where AlertTimeSrcIpDenyRateCount > LearningThreshold
    | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold      
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')]",
      "properties": {
        "alertRuleTemplateName": "e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b",
        "configurableParameters": [
          {
            "minimumOfStdsThreshold": "The number of stds to use in the threshold calculation. Default is set to 3."
          },
          {
            "learningPeriodTime": "Learning period for threshold calculation in days. Default is set to 5."
          },
          {
            "binTime": "Learning buckets time in hours. Default is set to 1 hour."
          },
          {
            "minimumThreshold": "Minimum threshold for alert. Default is set to 5."
          },
          {
            "minimumBucketThreshold": "Minimum learning buckets threshold for alert. Default is set to 5."
          }
        ],
        "customDetails": null,
        "description": "Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.\n",
        "displayName": "GSA - Detect Abnormal Deny Rate for Source to Destination IP",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "DestinationIp",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml",
        "query": "let NumOfStdsThreshold = 3;\nlet LearningPeriod = 5d;\nlet BinTime = 1h;\nlet MinThreshold = 5.0;\nlet MinLearningBuckets = 5;\nlet TrafficLogs = NetworkAccessTraffic\n  | where Action == 'Denied'\n  | where isnotempty(DestinationIp) and isnotempty(SourceIp);\nlet LearningSrcIpDenyRate = TrafficLogs\n  | where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d))\n  | summarize count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp\n  | summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp\n  | where LearningTimeBuckets > MinLearningBuckets;\nlet AlertTimeSrcIpDenyRate = TrafficLogs\n  | where TimeGenerated between (ago(1h) .. now())\n  | summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, DestinationIp;\nAlertTimeSrcIpDenyRate\n  | join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp\n  | extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)\n  | where AlertTimeSrcIpDenyRateCount > LearningThreshold\n  | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold    \n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT25H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 1
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}