Shain
GitHub
Коммит
f8022cafe9
|
|
@ -0,0 +1,38 @@
|
|||
id:
|
||||
name: Several deny actions registered
|
||||
description: |
|
||||
'Identifies attach pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureFirewall
|
||||
dataTypes:
|
||||
- AzureDiagnostics
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 1
|
||||
tactics:
|
||||
- Discovery
|
||||
- LateralMovement
|
||||
- CommandAndControl
|
||||
relevantTechniques:
|
||||
- T1046
|
||||
- T1041
|
||||
- T1071
|
||||
query: |
|
||||
|
||||
let timeframe = ago(1h);
|
||||
let threshold = 1;
|
||||
AzureDiagnostics
|
||||
| where TimeGenerated >= timeframe
|
||||
| where OperationName in ("AzureFirewallApplicationRuleLog","AzureFirewallNetworkRuleLog")
|
||||
| extend msg_s_replaced0 = replace(@"\s\s",@" ",msg_s)
|
||||
| extend msg_s_replaced1 = replace(@"\.\s",@" ",msg_s_replaced0)
|
||||
| extend msg_a = split(msg_s_replaced1," ")
|
||||
| extend srcAddr_a = split(msg_a[3],":") , destAddr_a = split(msg_a[5],":")
|
||||
| extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])
|
||||
| where action == "Deny"
|
||||
| extend url = iff(destIp matches regex "\\d+\\.\\d+\\.\\d+\\.\\d+","",destIp)
|
||||
| summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol
|
||||
| where count_ >= ["threshold"]
|
||||
| extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp
|
||||
Загрузка…
Ссылка в новой задаче