Detection rules › Kusto
Abnormal Deny Rate for Source IP
'Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access or C2, where attacker tries to exploit the same vulnerability on machines in the organization, but is being blocked by firewall rules. Configurable Parameters: - Minimum of stds threshold - the number of stds to use in the threshold calculation. Default is set to 3. - Learning period time - learning period for threshold calculation in days. Default is set to 5. - Bin time - learning buckets time in hours. Default is set to 1 hour. - Minimum threshold - minimum threshold for alert. Default is set to 5. - Minimum bucket threshold - minimum learning buckets threshold for alert. Default is set to 5.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1190 Exploit Public-Facing Application |
| Discovery | T1046 Network Service Discovery |
| Command & Control | T1568.001 Dynamic Resolution: Fast Flux DNS, T1568.002 Dynamic Resolution: Domain Generation Algorithms |
| Exfiltration | T1041 Exfiltration Over C2 Channel |
Rule body kusto
id: d36bb1e3-5abc-4037-ad9a-24ba3469819e
name: Abnormal Deny Rate for Source IP
description: |
'Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access or C2, where attacker tries to exploit the same vulnerability on machines in the organization, but is being blocked by firewall rules.
Configurable Parameters:
- Minimum of stds threshold - the number of stds to use in the threshold calculation. Default is set to 3.
- Learning period time - learning period for threshold calculation in days. Default is set to 5.
- Bin time - learning buckets time in hours. Default is set to 1 hour.
- Minimum threshold - minimum threshold for alert. Default is set to 5.
- Minimum bucket threshold - minimum learning buckets threshold for alert. Default is set to 5.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- AZFWApplicationRule
- AZFWNetworkRule
- AZFWFlowTrace
- AZFWIdpsSignature
queryFrequency: 1h
queryPeriod: 25h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- Exfiltration
- CommandAndControl
- Discovery
relevantTechniques:
- T1190
- T1041
- T1568.001
- T1568.002
- T1046
query: |
let LearningPeriod = 1d;
let RunTime = 1h;
let StartLearningPeriod = LearningPeriod + RunTime;
let EndRunTime = RunTime - 1h;
let BinTime = 1h;
let NumOfStdsThreshold = 3;
let MinThreshold = 5.0;
let MinLearningBuckets = 5;
// Restrict unioned tables to the full analysis window to avoid full-table scans
let FullWindowStart = ago(StartLearningPeriod);
let FullWindowEnd = now();
let TrafficLogs = (union isfuzzy=true
(AzureDiagnostics
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
| where OperationName == "AzureFirewallApplicationRuleLog" or OperationName == "AzureFirewallNetworkRuleLog"
| parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int ". " * "Action: " Action "." *
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWNetworkRule
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
| extend Fqdn = DestinationIp
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWFlowTrace
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
| extend Fqdn = DestinationIp
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWIdpsSignature
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
| extend Fqdn = DestinationIp
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)),
(AZFWApplicationRule
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
| where Action == "Deny"
| where isnotempty(Fqdn) and isnotempty(SourceIp)));
let LearningSrcIpDenyRate = (TrafficLogs
| where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime))
| summarize count() by SourceIp, bin(TimeGenerated, BinTime), Fqdn
| summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, Fqdn
| where LearningTimeBuckets > MinLearningBuckets);
let AlertTimeSrcIpDenyRate = (TrafficLogs
| where TimeGenerated between (ago(RunTime) .. ago(EndRunTime))
| summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, Fqdn);
AlertTimeSrcIpDenyRate
| join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, Fqdn
| extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)
| where AlertTimeSrcIpDenyRateCount > LearningThreshold
| project SourceIp, Fqdn, AlertTimeSrcIpDenyRateCount, LearningTimeBuckets, LearningThreshold
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIp
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Fqdn
customDetails:
AlertCount: AlertTimeSrcIpDenyRateCount
Threshold: LearningThreshold
alertDetailsOverride:
alertDisplayNameFormat: 'Abnormal Deny Rate for Source IP {{SourceIp}}'
alertDescriptionFormat: |
The source IP {{SourceIp}} has an abnormal deny rate to destination {{Fqdn}} with {{AlertTimeSrcIpDenyRateCount}} denies, which is above the calculated threshold. This could indicate potential exfiltration, initial access or C2 activities.
version: 1.1.3
kind: Scheduled
Stages and Predicates
Parameters
let LearningPeriod = 1d;
let RunTime = 1h;
let StartLearningPeriod = LearningPeriod + RunTime;
let EndRunTime = RunTime - 1h;
let BinTime = 1h;
let NumOfStdsThreshold = 3;
let MinThreshold = 5.0;
let MinLearningBuckets = 5;
let FullWindowStart = ago(StartLearningPeriod);
let FullWindowEnd = now();
Let binding: LearningSrcIpDenyRate
let LearningSrcIpDenyRate = (TrafficLogs
| where TimeGenerated between (ago(StartLearningPeriod) .. ago(RunTime))
| summarize count() by SourceIp, bin(TimeGenerated, BinTime), Fqdn
| summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, Fqdn
| where LearningTimeBuckets > MinLearningBuckets);
Derived from RunTime, StartLearningPeriod, BinTime, MinLearningBuckets, TrafficLogs.
The stages below define let AlertTimeSrcIpDenyRate (the rule's main pipeline source).
Stage 1: union
union isfuzzy=true
Stage 2: source
AzureDiagnostics
Stage 3: where
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
The stages below run on AlertTimeSrcIpDenyRate (the outer pipeline).
Stage 4: where
AlertTimeSrcIpDenyRate
| where OperationName == "AzureFirewallApplicationRuleLog" or OperationName == "AzureFirewallNetworkRuleLog"
Stage 5: parse
| parse msg_s with * "from " SourceIp ":" SourcePort:int " to " Fqdn ":" DestinationPort:int ". " * "Action: " Action "." *
Stage 6: where
| where Action == "Deny"
Stage 7: where
| where isnotempty(Fqdn) and isnotempty(SourceIp)
Stage 8: source
AZFWNetworkRule
Stage 9: where
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
Stage 10: extend
| extend Fqdn = DestinationIp
Stage 11: where
| where Action == "Deny"
Stage 12: where
| where isnotempty(Fqdn) and isnotempty(SourceIp)
Stage 13: source
AZFWFlowTrace
Stage 14: where
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
Stage 15: extend
| extend Fqdn = DestinationIp
Stage 16: where
| where Action == "Deny"
Stage 17: where
| where isnotempty(Fqdn) and isnotempty(SourceIp)
Stage 18: source
AZFWIdpsSignature
Stage 19: where
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
Stage 20: extend
| extend Fqdn = DestinationIp
Stage 21: where
| where Action == "Deny"
Stage 22: where
| where isnotempty(Fqdn) and isnotempty(SourceIp)
Stage 23: source
AZFWApplicationRule
Stage 24: where
| where TimeGenerated between (FullWindowStart .. FullWindowEnd)
Stage 25: where
| where Action == "Deny"
Stage 26: where
| where isnotempty(Fqdn) and isnotempty(SourceIp)
Stage 27: where
| where TimeGenerated between (ago(RunTime) .. ago(EndRunTime))
Stage 28: summarize
| summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, Fqdn
Stage 29: join
| join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, Fqdn
Stage 30: extend
| extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)
Stage 31: where
| where AlertTimeSrcIpDenyRateCount > LearningThreshold
Stage 32: project
| project SourceIp, Fqdn, AlertTimeSrcIpDenyRateCount, LearningTimeBuckets, LearningThreshold
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Action | eq |
|
AlertTimeSrcIpDenyRateCount | gt |
|
Fqdn | is_not_null | |
LearningTimeBuckets | gt |
|
OperationName | eq |
|
SourceIp | is_not_null | |
TimeGenerated | ge |
|
TimeGenerated | le |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
AlertTimeSrcIpDenyRateCount | project |
Fqdn | project |
LearningThreshold | project |
LearningTimeBuckets | project |
SourceIp | project |