GSA - Detect Abnormal Deny Rate for Source to Destination IP
Id | e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b |
Rulename | GSA - Detect Abnormal Deny Rate for Source to Destination IP |
Description | Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules. Configurable Parameters: - minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3. - learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5. - binTime: Learning buckets time in hours. Default is set to 1 hour. - minimumThreshold: Minimum threshold for alert. Default is set to 5. - minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5. |
Severity | Medium |
Tactics | InitialAccess Exfiltration CommandAndControl |
Required data connectors | AzureActiveDirectory |
Kind | Scheduled |
Query frequency | 1h |
Query period | 25h |
Trigger threshold | 1 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml |
Version | 1.0.2 |
Arm template | e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b.json |
let NumOfStdsThreshold = 3;
let LearningPeriod = 5d;
let BinTime = 1h;
let MinThreshold = 5.0;
let MinLearningBuckets = 5;
let TrafficLogs = NetworkAccessTraffic
| where Action == "Denied"
| where isnotempty(DestinationIp) and isnotempty(SourceIp);
let LearningSrcIpDenyRate = TrafficLogs
| where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d))
| summarize count_ = count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp
| summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp
| where LearningTimeBuckets > MinLearningBuckets;
let AlertTimeSrcIpDenyRate = TrafficLogs
| where TimeGenerated between (ago(1h) .. now())
| summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, DestinationIp;
AlertTimeSrcIpDenyRate
| join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp
| extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)
| where AlertTimeSrcIpDenyRateCount > LearningThreshold
| project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold
triggerThreshold: 1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml
version: 1.0.2
relevantTechniques: []
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIp
- entityType: URL
fieldMappings:
- identifier: Url
columnName: DestinationIp
requiredDataConnectors:
- dataTypes:
- NetworkAccessTrafficLogs
connectorId: AzureActiveDirectory
queryPeriod: 25h
status: Available
tactics:
- InitialAccess
- Exfiltration
- CommandAndControl
kind: Scheduled
triggerOperator: gt
query: |
let NumOfStdsThreshold = 3;
let LearningPeriod = 5d;
let BinTime = 1h;
let MinThreshold = 5.0;
let MinLearningBuckets = 5;
let TrafficLogs = NetworkAccessTraffic
| where Action == "Denied"
| where isnotempty(DestinationIp) and isnotempty(SourceIp);
let LearningSrcIpDenyRate = TrafficLogs
| where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d))
| summarize count_ = count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp
| summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp
| where LearningTimeBuckets > MinLearningBuckets;
let AlertTimeSrcIpDenyRate = TrafficLogs
| where TimeGenerated between (ago(1h) .. now())
| summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, DestinationIp;
AlertTimeSrcIpDenyRate
| join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp
| extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)
| where AlertTimeSrcIpDenyRateCount > LearningThreshold
| project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold
name: GSA - Detect Abnormal Deny Rate for Source to Destination IP
severity: Medium
id: e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b
queryFrequency: 1h
description: |
Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.
Configurable Parameters:
- minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3.
- learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5.
- binTime: Learning buckets time in hours. Default is set to 1 hour.
- minimumThreshold: Minimum threshold for alert. Default is set to 5.
- minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')]",
"properties": {
"alertRuleTemplateName": "e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b",
"customDetails": null,
"description": "Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.\n\nConfigurable Parameters:\n - minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3.\n - learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5.\n - binTime: Learning buckets time in hours. Default is set to 1 hour.\n - minimumThreshold: Minimum threshold for alert. Default is set to 5.\n - minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5.\n",
"displayName": "GSA - Detect Abnormal Deny Rate for Source to Destination IP",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIp",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "DestinationIp",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml",
"query": "let NumOfStdsThreshold = 3;\nlet LearningPeriod = 5d;\nlet BinTime = 1h;\nlet MinThreshold = 5.0;\nlet MinLearningBuckets = 5;\nlet TrafficLogs = NetworkAccessTraffic\n | where Action == \"Denied\"\n | where isnotempty(DestinationIp) and isnotempty(SourceIp);\nlet LearningSrcIpDenyRate = TrafficLogs\n | where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d))\n | summarize count_ = count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp\n | summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp\n | where LearningTimeBuckets > MinLearningBuckets;\nlet AlertTimeSrcIpDenyRate = TrafficLogs\n | where TimeGenerated between (ago(1h) .. now())\n | summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, DestinationIp;\nAlertTimeSrcIpDenyRate\n | join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp\n | extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)\n | where AlertTimeSrcIpDenyRateCount > LearningThreshold\n | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT25H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"Exfiltration",
"InitialAccess"
],
"techniques": [],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 1
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}