Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Excessive Blocked Traffic Events Generated by User

Excessive Blocked Traffic Events Generated by User

Back
Idfa0ab69c-7124-4f62-acdd-61017cf6ce89
RulenameExcessive Blocked Traffic Events Generated by User
DescriptionCreates an incident when a Symantec Endpoint Proection agent detects excessive amounts of blocked traffic generated by a single user.
SeverityMedium
TacticsExfiltration
CommandAndControl
LateralMovement
TechniquesT1041
T1132
T1001
T1021
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml
Version1.0.3
Arm templatefa0ab69c-7124-4f62-acdd-61017cf6ce89.json
Deploy To Azure
let threshold = 15;
let NoteableEvents = SymantecEndpointProtection
| where LogType == "Agent Traffic Logs"
| where Action =~ "Blocked"
| summarize TotalBlockedEvents = count() by UserName
| where TotalBlockedEvents > threshold;
SymantecEndpointProtection
| where LogType =~ "Agent Traffic Logs"
| where Action =~ "Blocked"
| join kind=inner (NoteableEvents) on UserName
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by UserName, RuleName, ServerName, LocalHostIpAddr, LocalPortNumber, TrafficDirection, RemoteHostIpAddr, RemotePortNumber, ApplicationName

name: Excessive Blocked Traffic Events Generated by User
relevantTechniques:
- T1041
- T1132
- T1001
- T1021
id: fa0ab69c-7124-4f62-acdd-61017cf6ce89
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
version: 1.0.3
severity: Medium
triggerThreshold: 0
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: UserName
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: LocalHostIpAddr
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: RemoteHostIpAddr
  entityType: IP
- fieldMappings:
  - identifier: FullName
    columnName: ServerName
  entityType: Host
queryFrequency: 1h
status: Available
query: |
  let threshold = 15;
  let NoteableEvents = SymantecEndpointProtection
  | where LogType == "Agent Traffic Logs"
  | where Action =~ "Blocked"
  | summarize TotalBlockedEvents = count() by UserName
  | where TotalBlockedEvents > threshold;
  SymantecEndpointProtection
  | where LogType =~ "Agent Traffic Logs"
  | where Action =~ "Blocked"
  | join kind=inner (NoteableEvents) on UserName
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by UserName, RuleName, ServerName, LocalHostIpAddr, LocalPortNumber, TrafficDirection, RemoteHostIpAddr, RemotePortNumber, ApplicationName  
tactics:
- Exfiltration
- CommandAndControl
- LateralMovement
kind: Scheduled
description: |
    'Creates an incident when a Symantec Endpoint Proection agent detects excessive amounts of blocked traffic generated by a single user.'
triggerOperator: gt