Back Id 3f0c20d5-6228-48ef-92f3-9ff7822c1954 Rulename A host is potentially running a hacking tool (ASIM Web Session schema) Description This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.<br>You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the UnusualUserAgents Watchlist.
This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema) Severity Medium Tactics Execution
Back Id cd6def0d-3ef0-4d55-a7e3-faa96c46ba12 Rulename Anomaly found in Network Session Traffic (ASIM Network Session schema) Description The rule identifies anomalous pattern in network session traffic based on previously seen data, different Device Action, Network Protocol, Network Direction or overall volume. The rule utilize ASIM normalization, and is applied to any source which supports the ASIM Network Session schema Severity Medium Tactics CommandAndControl
Discovery
Exfiltration
LateralMovement Techniques T1095
T1071
T1046
T1030
Back Id 9b8dd8fd-f192-42eb-84f6-541920400a7a Rulename App Gateway WAF - Scanner Detection Description Identifies a match for a Scanner detection user agent based attack in the App Gateway WAF logs. The threshold value in the query can be changed as per your infrastructure’s requirements.
References: https://owasp.org/www-community/Vulnerability_Scanning_Tools Severity High Tactics DefenseEvasion
Execution
InitialAccess
Reconnaissance
Discovery Techniques T1548
T1203
T1190
T1595
T1046 Required data connectors WAF Kind Scheduled Query frequency 6h Query period 6h Trigger threshold 0 Trigger operator gt Source Uri https://github.
Back Id 79f29feb-6a9d-4cdf-baaa-2daf480a5da1 Rulename Cisco ASA - average attack detection rate increase Description This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100
References: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html
Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html Severity Low Tactics Discovery
Impact Techniques T1046
T1498 Required data connectors CiscoASA Kind Scheduled Query frequency 1h Query period 6h Trigger threshold 0 Trigger operator gt Source Uri https://github.
Back Id 795edf2d-cf3e-45b5-8452-fe6c9e6a582e Rulename Cisco ASA - threat detection message fired Description Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105
Resources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html
Details on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html Severity Medium Tactics Discovery
Impact Techniques T1046
T1498 Required data connectors CiscoASA Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.
Back Id 58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7 Rulename Cross-Cloud Suspicious user activity observed in GCP Envourment Description This detection query aims to correlate potentially suspicious user activities logged in Google Cloud Platform (GCP) Audit Logs with security alerts originating from Microsoft Security products. This correlation facilitates the identification of potential cross-cloud security incidents. By summarizing these findings, the query provides valuable insights into cross-cloud identity threats and their associated details, enabling organizations to respond promptly and mitigate potential risks effectively.
Back Id 82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1 Rulename GSA - Detect Source IP Scanning Multiple Open Ports Description Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.
Configurable Parameters:
- Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.
Back Id cd8faa84-4464-4b4e-96dc-b22f50c27541 Rulename Network Port Sweep from External Network (ASIM Network Session schema) Description This detection rule detects scenarios when a particular port is being scanned by multiple external sources. The rule utilize ASIM normalization, and is applied to any source which supports the ASIM Network Session schema. Severity High Tactics Reconnaissance
Discovery Techniques T1590
T1046 Required data connectors AIVectraStream
AWSS3
AzureFirewall
AzureMonitor(VMInsights)
AzureNSG
CheckPoint
CiscoASA
CiscoAsaAma
CiscoMeraki
Back Id 5b72f527-e3f6-4a00-9908-8e4fee14da9f Rulename Palo Alto - possible internal to external port scanning Description Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an “ApplicationProtocol = incomplete” designation. The server resets coupled with an “Incomplete” ApplicationProtocol designation can be an indication of internal to external port scanning or probing attack.
Back Id 89a86f70-615f-4a79-9621-6f68c50f365f Rulename Palo Alto Threat signatures from Unusual IP addresses Description Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. This detection is also leveraged and required for MDE and PAN Fusion scenario
https://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall Severity Medium Tactics Discovery
Exfiltration
CommandAndControl Techniques T1046
T1030
T1071.001 Required data connectors CefAma Kind Scheduled Query frequency 1h Query period 7d Trigger threshold 0 Trigger operator gt Source Uri https://github.
