GSA - Detect Protocol Changes for Destination Ports
| Id | f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a |
| Rulename | GSA - Detect Protocol Changes for Destination Ports |
| Description | Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes. |
| Severity | Medium |
| Tactics | DefenseEvasion Exfiltration CommandAndControl |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 8d |
| Trigger threshold | 1 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml |
| Version | 1.0.1 |
| Arm template | f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a.json |
let LearningPeriod = 7d;
let RunTime = 1d;
let StartLearningPeriod = ago(LearningPeriod + RunTime);
let EndRunTime = ago(RunTime);
let LearningPortToProtocol =
NetworkAccessTraffic
| where TimeGenerated between (StartLearningPeriod .. EndRunTime)
| where isnotempty(DestinationPort)
| summarize LearningTimeCount = count() by LearningTimeDstPort = DestinationPort, LearningTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;
let AlertTimePortToProtocol =
NetworkAccessTraffic
| where TimeGenerated between (EndRunTime .. now())
| where isnotempty(DestinationPort)
| summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;
AlertTimePortToProtocol
| join kind=leftouter (LearningPortToProtocol) on $left.AlertTimeDstPort == $right.LearningTimeDstPort and $left.SourceIp == $right.SourceIp and $left.DestinationFqdn == $right.DestinationFqdn
| where isnull(LearningTimeProtocol) or LearningTimeProtocol != AlertTimeProtocol
| project AlertTimeDstPort, AlertTimeProtocol, LearningTimeProtocol, SourceIp, DestinationFqdn
| extend IPCustomEntity = SourceIp, FqdnCustomEntity = DestinationFqdn
relevantTechniques: []
name: GSA - Detect Protocol Changes for Destination Ports
Configurable Parameters:
- Learning period - the time range to establish the baseline. Default is set to 7 days.
- Run time - the time range for current analysis. Default is set to 1 day.
requiredDataConnectors:
- dataTypes:
- EnrichedMicrosoft365AuditLogs
connectorId: AzureActiveDirectory
entityMappings:
- fieldMappings:
- identifier: Address
columnName: IPCustomEntity
entityType: IP
- fieldMappings:
- identifier: Url
columnName: FqdnCustomEntity
entityType: URL
triggerThreshold: 1
id: f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a
tactics:
- DefenseEvasion
- Exfiltration
- CommandAndControl
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml
queryPeriod: 8d
kind: Scheduled
queryFrequency: 1h
severity: Medium
status: Available
description: |
Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes.
query: |
let LearningPeriod = 7d;
let RunTime = 1d;
let StartLearningPeriod = ago(LearningPeriod + RunTime);
let EndRunTime = ago(RunTime);
let LearningPortToProtocol =
NetworkAccessTraffic
| where TimeGenerated between (StartLearningPeriod .. EndRunTime)
| where isnotempty(DestinationPort)
| summarize LearningTimeCount = count() by LearningTimeDstPort = DestinationPort, LearningTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;
let AlertTimePortToProtocol =
NetworkAccessTraffic
| where TimeGenerated between (EndRunTime .. now())
| where isnotempty(DestinationPort)
| summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;
AlertTimePortToProtocol
| join kind=leftouter (LearningPortToProtocol) on $left.AlertTimeDstPort == $right.LearningTimeDstPort and $left.SourceIp == $right.SourceIp and $left.DestinationFqdn == $right.DestinationFqdn
| where isnull(LearningTimeProtocol) or LearningTimeProtocol != AlertTimeProtocol
| project AlertTimeDstPort, AlertTimeProtocol, LearningTimeProtocol, SourceIp, DestinationFqdn
| extend IPCustomEntity = SourceIp, FqdnCustomEntity = DestinationFqdn
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')]",
"properties": {
"alertRuleTemplateName": "f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a",
"Configurable Parameters": [
"Learning period - the time range to establish the baseline. Default is set to 7 days.",
"Run time - the time range for current analysis. Default is set to 1 day."
],
"customDetails": null,
"description": "Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes.\n",
"displayName": "GSA - Detect Protocol Changes for Destination Ports",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "FqdnCustomEntity",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml",
"query": "let LearningPeriod = 7d;\nlet RunTime = 1d;\nlet StartLearningPeriod = ago(LearningPeriod + RunTime);\nlet EndRunTime = ago(RunTime);\nlet LearningPortToProtocol = \n NetworkAccessTraffic\n | where TimeGenerated between (StartLearningPeriod .. EndRunTime)\n | where isnotempty(DestinationPort)\n | summarize LearningTimeCount = count() by LearningTimeDstPort = DestinationPort, LearningTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;\nlet AlertTimePortToProtocol = \n NetworkAccessTraffic\n | where TimeGenerated between (EndRunTime .. now())\n | where isnotempty(DestinationPort)\n | summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;\nAlertTimePortToProtocol\n | join kind=leftouter (LearningPortToProtocol) on $left.AlertTimeDstPort == $right.LearningTimeDstPort and $left.SourceIp == $right.SourceIp and $left.DestinationFqdn == $right.DestinationFqdn\n | where isnull(LearningTimeProtocol) or LearningTimeProtocol != AlertTimeProtocol\n | project AlertTimeDstPort, AlertTimeProtocol, LearningTimeProtocol, SourceIp, DestinationFqdn\n | extend IPCustomEntity = SourceIp, FqdnCustomEntity = DestinationFqdn\n",
"queryFrequency": "PT1H",
"queryPeriod": "P8D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"DefenseEvasion",
"Exfiltration"
],
"techniques": [],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 1
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}