Skip to content

Commit

Permalink
Merge pull request #9975 from praveenthepro/patch-11
Browse files Browse the repository at this point in the history 
Create Protocols passing authentication in cleartext (ASIM Network Se…
  • Loading branch information
@v-prasadboke
v-prasadboke authored Mar 12, 2024
2 parents d8b3815 + c7fea6d commit 2e7389f
Show file tree
Hide file tree
Showing 10 changed files with 352 additions and 118 deletions.
53 changes: 53 additions & 0 deletions ...ession Essentials/Analytic Rules/Anomaly in SMB Traffic(ASIM Network Session schema).yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
id: 8717e498-7b5d-4e23-9e7c-fa4913dbfd79
name: Anomaly in SMB Traffic(ASIM Network Session schema)
description: |
'This detection detects abnormal SMB traffic, a file-sharing protocol. By calculating the average deviation of SMB connections over last 14 days, flagging sources exceeding 50 average deviations.'
severity: Medium
status: Available
tags:
- Schema: ASimNetworkSessions
SchemaVersion: 0.2.4
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- LateralMovement
relevantTechniques:
- T1021
- T1021.002
query: |
// Define the threshold for deviation
let threshold = 50;
// Define the time range for the baseline data
let starttime = 14d;
let endtime = 1d;
// Define the SMB ports to monitor
let SMBPorts = dynamic(["139", "445"]);
// Get the baseline data for user network sessions and Filter for the defined time range
let userBaseline = _Im_NetworkSession(starttime=ago(starttime), endtime=ago(endtime))
| where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
| summarize Count = count() by SrcIpAddr, DstPortNumber // Group by source IP and destination port
| summarize AvgCount = avg(Count) by SrcIpAddr, DstPortNumber; // Calculate the average count
// Get the recent user activity data and Filter for recent activity
let recentUserActivity = _Im_NetworkSession(starttime=ago(endtime))
| where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by SrcIpAddr, DstPortNumber; // Group by source IP and destination port
// Join the baseline and recent activity data
let UserBehaviorAnalysis = userBaseline
| join kind=inner (recentUserActivity) on SrcIpAddr, DstPortNumber
| extend Deviation = abs(RecentCount - AvgCount) / AvgCount; // Calculate the deviation
// Filter for deviations greater than the threshold
UserBehaviorAnalysis
| where Deviation > threshold
| project SrcIpAddr, DstPortNumber, Deviation, Count = RecentCount; // Project the required columns
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.0
kind: Scheduled
39 changes: 39 additions & 0 deletions ...ials/Analytic Rules/Remote Desktop Network Brute force (ASIM Network Session schema).yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
id: b7dc801e-1e79-48bb-91e8-2229a8e6d40b
name: Remote Desktop Network Brute force (ASIM Network Session schema)
description: |
'This detection identifies RDP application network traffic and filters any source/destination pair generating more than 25 events hard threshold.'
severity: Medium
status: Available
tags:
- Schema: ASimNetworkSessions
SchemaVersion: 0.2.4
requiredDataConnectors: []
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1110
query: |
// Start of the query and Filter events that resulted in failure
_Im_NetworkSession(eventresult="Failure")
// Filter out private source IP addresses and focus on specific destination port (3389)
// Also, ensure that the source and destination IP addresses are not the same
| where not(ipv4_is_private(SrcIpAddr)) and tostring(DstPortNumber) has_any ("3389") and SrcIpAddr != DstIpAddr
// Summarize the data by source and destination IP addresses, destination port number, network protocol, and event result
// Also, bin the time generated in 5-minute intervals
// Calculate the minimum and maximum time generated, the sum of event counts, and a set of up to 10 event vendors
| summarize Starttime= min(TimeGenerated),EndTime= max(TimeGenerated),TargettedIPs=dcount(DstIpAddr),Eventscount=sum(EventCount),EventVendors=make_set(EventVendor,10) by SrcIpAddr,DstPortNumber,EventResult, bin(TimeGenerated, 5m)
// Filter the summarized data to include only those with an event count of 25 or more
| where Eventscount >= 25
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.0
kind: Scheduled
5 changes: 4 additions & 1 deletion Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,13 @@
],
"PlaybookDescription": "This solution installs the \"Summarize Data\" Playbook templates. It is \"highly recommended\" to use the \"Summarize data\" logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries. After installing the solution, this will be deployed under Playbook Templates in the Automation blade of Microsoft Sentinel. It can be configured and managed from the Manage solution view in Content Hub.",
"Hunting Queries": [
"Hunting Queries/Detect Outbound LDAP Traffic(ASIM Network Session schema).yaml",
"Hunting Queries/DetectPortMisuseByAnomalyHunting.yaml",
"Hunting Queries/DetectPortMisuseByStaticThresholdHunting.yaml",
"Hunting Queries/DetectsSeveralUsersWithTheSameMACAddress.yaml",
"Hunting Queries/MismatchBetweenDestinationAppNameAndDestinationPort.yaml"
"Hunting Queries/MismatchBetweenDestinationAppNameAndDestinationPort.yaml",
"Hunting Queries/Protocols passing authentication in cleartext (ASIM Network Session schema).yaml",
"Hunting Queries/Remote Desktop Network Traffic(ASIM Network Session schema).yaml"
],
"Watchlists": [
"Watchlists/NetworkSession_Monitor_Configuration.json"
Expand Down
26 changes: 26 additions & 0 deletions ...Essentials/Hunting Queries/Detect Outbound LDAP Traffic(ASIM Network Session schema).yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
id: 5dca6047-24ed-4eb7-b44e-ec7f1bf42621
name: Detect Outbound LDAP Traffic(ASIM Network Session schema)
description: |
'Malicious actors often abuse misconfigured LDAP servers or applications that use the LDAP servers in organizations. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall.'
tags:
- Schema: ASimNetworkSessions
SchemaVersion: 0.2.4
requiredDataConnectors: []
tactics:
- InitialAccess
- Execution
relevantTechniques:
- T1071
- T1059
query: |
_Im_NetworkSession(starttime=ago(1d))
| where EventResult=="Failure" and ipv4_is_private(SrcIpAddr) and not(ipv4_is_private(DstIpAddr)) and SrcIpAddr != DstIpAddr
| where tostring(DstPortNumber) has_any ("389", "636")
| summarize Starttime= min(TimeGenerated),EndTime= max(TimeGenerated),Eventscount=sum(EventCount), EventVendors=make_set(EventVendor,10) by SrcIpAddr,DstIpAddr,DstPortNumber,NetworkProtocol,EventResult
| extend IP_0_Address = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
version: 1.0.0
37 changes: 37 additions & 0 deletions ... Queries/Protocols passing authentication in cleartext (ASIM Network Session schema).yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
id: 96f9fdd1-bb5b-4d32-8790-666457dc00c0
name: Protocols passing authentication in cleartext (ASIM Network Session schema)
description: |
'This hunting query identifies cleartext protocols like telnet, POP3, IMAP, and non-anonymous FTP that could leak sensitive information. These protocols may use SSL, but usually on different ports.'
tags:
- Schema: ASimNetworkSessions
SchemaVersion: 0.2.4
requiredDataConnectors: []

tactics:
- CommandAndControl
relevantTechniques:
- T1071

query: |
// Filter events from last 1 day and not failed
_Im_NetworkSession(starttime=ago(1d))
// Filter for private source IP and public destination IP
| where EventResult != "Failure" and ipv4_is_private(SrcIpAddr) and not(ipv4_is_private(DstIpAddr))
// Filter for specific destination ports or non-anonymous FTP
| where tostring(DstPortNumber) has_any ("23", "143", "110") or (tostring(DstPortNumber) == "21" and SrcUsername != "anonymous")
// Summarize data by session parameters
| summarize Starttime= min(TimeGenerated),EndTime= max(TimeGenerated),Eventscount=sum(EventCount), EventVendors=make_set(EventVendor,10) by SrcIpAddr,DstIpAddr,DstPortNumber,NetworkProtocol,EventResult
| extend PortUsage = case(
DstPortNumber == 23, "Telnet",
DstPortNumber == 143, "IMAP",
DstPortNumber == 110, "POP3",
DstPortNumber == 21, "FTP",
"Other"
)
| extend IP_0_Address = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
version: 1.0.0
30 changes: 30 additions & 0 deletions ...sentials/Hunting Queries/Remote Desktop Network Traffic(ASIM Network Session schema).yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
id: 6fd69768-fdf1-4cfd-805f-b243be3f0c6d
name: Remote Desktop Network Traffic(ASIM Network Session schema)
description: |
'This hunting query looks for unusual remote desktop activity by monitoring TCP/3389 traffic. While RDP is common, focus on atypical connections to identify potential threats.'
tags:
- Schema: ASimNetworkSessions
SchemaVersion: 0.2.4
requiredDataConnectors: []
tactics:
- LateralMovement
relevantTechniques:
- T1021
- T1021.001
query: |
// Filter events from the last day that were not failures
_Im_NetworkSession(starttime=ago(1d))
// Filter events where the source IP is private, the destination IP is not private, and the source and destination IPs are not the same
| where EventResult == "Failure" and ipv4_is_private(SrcIpAddr) and not(ipv4_is_private(DstIpAddr)) and SrcIpAddr != DstIpAddr
// Filter events where the destination port number is 3389 (commonly used for Microsoft Remote Desktop (RDP))
| where tostring(DstPortNumber) has_any ("3389")
// Summarize the data by source IP, destination IP, destination port number, network protocol, and event result
// For each group, calculate the start time, end time, event count, and a set of up to 10 event vendors
| summarize Starttime= min(TimeGenerated),EndTime= max(TimeGenerated),Eventscount=sum(EventCount), EventVendors=make_set(EventVendor,10) by SrcIpAddr,DstIpAddr,DstPortNumber,NetworkProtocol,EventResult
| extend IP_0_Address = SrcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
version: 1.0.0
Binary file added Solutions/Network Session Essentials/Package/3.0.3.zip
View file
Binary file not shown.
16 changes: 15 additions & 1 deletion Solutions/Network Session Essentials/Package/createUiDefinition.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network%20Session%20Essentials/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Network Session Essentials](https://aka.ms/NetworkSessionEssential) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Amazon Web Services \n 2. Azure Firewall \n 3. Azure Network Security Groups \n 4. Check Point \n 5. Cisco ASA \n 6. Cisco Meraki Security Events \n 7. Corelight \n 8. Fortinet FortiGate \n 9. Microsoft Defender for IoT \n 10. Microsoft Defender for Cloud \n 11. Microsoft Sysmon For Linux \n 12. Windows Firewall \n 13. Palo Alto PANOS \n 14. Vectra AI Stream \n 15. WatchGuard Firebox \n 16. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 7, **Hunting Queries:** 4, **Watchlists:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Network%20Session%20Essentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Network Session Essentials](https://aka.ms/NetworkSessionEssential) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Amazon Web Services \n 2. Azure Firewall \n 3. Azure Network Security Groups \n 4. Check Point \n 5. Cisco ASA \n 6. Cisco Meraki Security Events \n 7. Corelight \n 8. Fortinet FortiGate \n 9. Microsoft Defender for IoT \n 10. Microsoft Defender for Cloud \n 11. Microsoft Sysmon For Linux \n 12. Windows Firewall \n 13. Palo Alto PANOS \n 14. Vectra AI Stream \n 15. WatchGuard Firebox \n 16. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 7, **Hunting Queries:** 5, **Watchlists:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
Expand Down Expand Up @@ -296,6 +296,20 @@
}
}
]
},
{
"name": "huntingquery5",
"type": "Microsoft.Common.Section",
"label": "Protocols passing authentication in cleartext (ASIM Network Session schema)",
"elements": [
{
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies cleartext protocols like telnet, POP3, IMAP, and non-anonymous FTP that could leak sensitive information. These protocols may use SSL, but usually on different ports. "
}
}
]
}
]
},
Expand Down
Loading

0 comments on commit 2e7389f

Please sign in to comment.