GSA - Detect Protocol Changes for Destination Ports

let LearningPeriod = 7d;
let RunTime = 1d;
let StartLearningPeriod = ago(LearningPeriod + RunTime);
let EndRunTime = ago(RunTime);
let LearningPortToProtocol = 
  NetworkAccessTraffic
  | where TimeGenerated between (StartLearningPeriod .. EndRunTime)
  | where isnotempty(DestinationPort)
  | summarize LearningTimeCount = count() by LearningTimeDstPort = DestinationPort, LearningTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;
let AlertTimePortToProtocol = 
  NetworkAccessTraffic
  | where TimeGenerated between (EndRunTime .. now())
  | where isnotempty(DestinationPort)
  | summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;
AlertTimePortToProtocol
  | join kind=leftouter (LearningPortToProtocol) on $left.AlertTimeDstPort == $right.LearningTimeDstPort and $left.SourceIp == $right.SourceIp and $left.DestinationFqdn == $right.DestinationFqdn
  | where isnotempty(LearningTimeProtocol) and isnotempty(AlertTimeProtocol) and LearningTimeProtocol != AlertTimeProtocol
  | project AlertTimeDstPort, AlertTimeProtocol, LearningTimeProtocol, SourceIp, DestinationFqdn
  | extend IPCustomEntity = SourceIp, FqdnCustomEntity = DestinationFqdn

version: 1.0.4
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - NetworkAccessTrafficLogs
status: Available
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: FqdnCustomEntity
  entityType: URL
tactics:
- DefenseEvasion
- Exfiltration
- CommandAndControl
relevantTechniques:
- T1571
queryFrequency: 1h
severity: Medium
name: GSA - Detect Protocol Changes for Destination Ports
description: |
  Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline.
  This can indicate potential protocol misuse or configuration changes.
  Configurable Parameters:
  - Learning period: The time range to establish the baseline. Default is set to 7 days.
  - Run time: The time range for current analysis. Default is set to 1 day.  
triggerThreshold: 1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml
query: |
  let LearningPeriod = 7d;
  let RunTime = 1d;
  let StartLearningPeriod = ago(LearningPeriod + RunTime);
  let EndRunTime = ago(RunTime);
  let LearningPortToProtocol = 
    NetworkAccessTraffic
    | where TimeGenerated between (StartLearningPeriod .. EndRunTime)
    | where isnotempty(DestinationPort)
    | summarize LearningTimeCount = count() by LearningTimeDstPort = DestinationPort, LearningTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;
  let AlertTimePortToProtocol = 
    NetworkAccessTraffic
    | where TimeGenerated between (EndRunTime .. now())
    | where isnotempty(DestinationPort)
    | summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;
  AlertTimePortToProtocol
    | join kind=leftouter (LearningPortToProtocol) on $left.AlertTimeDstPort == $right.LearningTimeDstPort and $left.SourceIp == $right.SourceIp and $left.DestinationFqdn == $right.DestinationFqdn
    | where isnotempty(LearningTimeProtocol) and isnotempty(AlertTimeProtocol) and LearningTimeProtocol != AlertTimeProtocol
    | project AlertTimeDstPort, AlertTimeProtocol, LearningTimeProtocol, SourceIp, DestinationFqdn
    | extend IPCustomEntity = SourceIp, FqdnCustomEntity = DestinationFqdn  
kind: Scheduled
queryPeriod: 8d
triggerOperator: gt
id: f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a