Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Excessive Blocked Traffic Events Generated by User

Excessive Blocked Traffic Events Generated by User

Back
Idfa0ab69c-7124-4f62-acdd-61017cf6ce89
RulenameExcessive Blocked Traffic Events Generated by User
DescriptionCreates an incident when a Symantec Endpoint Proection agent detects excessive amounts of blocked traffic generated by a single user.
SeverityMedium
TacticsExfiltration
CommandAndControl
LateralMovement
TechniquesT1041
T1132
T1001
T1021
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml
Version1.0.3
Arm templatefa0ab69c-7124-4f62-acdd-61017cf6ce89.json
Deploy To Azure
let threshold = 15;
let NoteableEvents = SymantecEndpointProtection
| where LogType == "Agent Traffic Logs"
| where Action =~ "Blocked"
| summarize TotalBlockedEvents = count() by UserName
| where TotalBlockedEvents > threshold;
SymantecEndpointProtection
| where LogType =~ "Agent Traffic Logs"
| where Action =~ "Blocked"
| join kind=inner (NoteableEvents) on UserName
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by UserName, RuleName, ServerName, LocalHostIpAddr, LocalPortNumber, TrafficDirection, RemoteHostIpAddr, RemotePortNumber, ApplicationName

description: |
    'Creates an incident when a Symantec Endpoint Proection agent detects excessive amounts of blocked traffic generated by a single user.'
kind: Scheduled
tactics:
- Exfiltration
- CommandAndControl
- LateralMovement
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml
severity: Medium
name: Excessive Blocked Traffic Events Generated by User
triggerThreshold: 0
queryPeriod: 1h
query: |
  let threshold = 15;
  let NoteableEvents = SymantecEndpointProtection
  | where LogType == "Agent Traffic Logs"
  | where Action =~ "Blocked"
  | summarize TotalBlockedEvents = count() by UserName
  | where TotalBlockedEvents > threshold;
  SymantecEndpointProtection
  | where LogType =~ "Agent Traffic Logs"
  | where Action =~ "Blocked"
  | join kind=inner (NoteableEvents) on UserName
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by UserName, RuleName, ServerName, LocalHostIpAddr, LocalPortNumber, TrafficDirection, RemoteHostIpAddr, RemotePortNumber, ApplicationName  
relevantTechniques:
- T1041
- T1132
- T1001
- T1021
id: fa0ab69c-7124-4f62-acdd-61017cf6ce89
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.3
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: UserName
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: LocalHostIpAddr
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: RemoteHostIpAddr
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: ServerName
    identifier: FullName