Daily "Network Port Sweep detected on port x" but no Source IP
For a couple of months we have been getting "Network Port Sweep was detection by multiple IPs" with ports 135 and 445 mostly. The KQL attached lists a load of Destination IPs but no Source IP (see example below) All these are inside our network, and so not coming from outside the network where the firewall would block such scans. We suspect it is one of our network tools such as Solarwinds but without the Source IP it is difficult to prove anything. // The query_now parameter represents the time (in UTC) at which the scheduled analytics rule ran to produce this alert. set query_now = datetime(2024-06-24T03:01:10.2587643Z); let lookback = 1h; let threshold = 20; _Im_NetworkSession(starttime=ago(lookback), endtime=now()) | where NetworkDirection == "Inbound" | summarize make_set(DstIpAddr, 100) by DstPortNumber | where array_length(set_DstIpAddr) > threshold Tried to modify the query, this is the KQL I have tried. set query_now = datetime(2024-01-26T07:47:48.3756000Z); let lookback = 1h; let threshold = 20; _Im_NetworkSession(starttime=ago(lookback), endtime=now()) | where NetworkDirection == "Inbound" | summarize make_set(DstIpAddr, 100), make_set(SrcIpAddr, 100) by DstPortNumber | where array_length(set_DstIpAddr) > threshold Anyone got any suggestions on how we can track down what is causing this alert in Sentinel?
Anomaly Excessive NXDOMAIN DNS Queries - analytics rule
I have noticed that we see quite a few endpoints that are triggering the Excessive NXDOMAIN DNS Queries anomaly analytics rule in Microsoft Sentinel. When I investigate these for tuning purposes, I see that the vast majority of these queries (in the in-addr.arpa domain) are for IP addresses owned by Microsoft. It appears that Microsoft have no interest in publishing reverse DNS entries, because I am unable to resolve them from any online DNS tools. The whois records do point to Microsoft, though. What's a good way to either stop this from happening, or eliminate the Microsoft IP address space from the query results?
Feed data location to run against Sentinel's KQL function
Hi, We have a feed consisting of around 250,000-300,000 entries and will be imported daily. We do not intend to store this data in Sentinel as a table and would like to store it somewhere else (Cosmos, storage, etc.) from where we can grab this data and run it against one of our Sentinel's KQL functions to generate Alerts. Planning to use Logic Apps/Functions to do the above actions. But would like to know what would be the right solution here so that comparing the feed data against KQL function results would be fast and not of high cost Thank you !!
Sentinel - Analytic template - MFA Rejected by User
Hi, we are having a few issues with the Sentinel templated analytic rule - MFA Rejected by User (version 2.0.3) - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/MFARejectedbyUser.yaml Over the last 30 days this analytic rule has generated 98 incidents which are all false positives. The analytic rule works on looking at Entra ID signinlogs against result type 500121 with one or more of the following additional details reported "MFA denied; user declined the authentication" or "fraud". It maps UEBA identity information then join the behavior analytics data summarised by IP Address. It's the summarising of the IP address data which has me questioning the code. When we get an event in the signin logs it also generates an event in the UEBA behavior analytic table along with a IP investigation score. If you have multiple events in the time period of the rules query period then the summarizing does a SUM() against the IP investigation data which can turn into a high which breaches the threshold. The default threshold is 20 but I have seen IP investigation scores summed again being between 60 and 100+ but the individual event record for the MFA rejection gives a score of 3 or 4. Anyone an expert with UEBA and KQL be able to tell me if the original code looks ok? - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/MFARejectedbyUser.yaml Would to be better served by the following code? let riskScoreCutoff = 20; //Adjust this based on volume of results SigninLogs | where ResultType == 500121 | extend additionalDetails_ = tostring(Status.additionalDetails) | extend UserPrincipalName = tolower(UserPrincipalName) | where additionalDetails_ =~ "MFA denied; user declined the authentication" or additionalDetails_ has "fraud" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), UserId = any(UserId), AADTenantId=any(AADTenantId), DeviceName=any(DeviceDetail.displayName), IsManaged=any(DeviceDetail.isManaged), OS = any(DeviceDetail.operatingSystem) by UserPrincipalName, IPAddress, AppDisplayName | extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0]) | join kind=leftouter ( IdentityInfo | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled | summarize Tags = make_set(Tags, 1000), GroupMembership = make_set(GroupMembership, 1000), AssignedRoles = make_set(AssignedRoles, 1000), UserType = make_set(UserType, 1000), UserAccountControl = make_set(UserType, 1000) by AccountUPN | extend UserPrincipalName=tolower(AccountUPN) ) on UserPrincipalName | join kind=leftouter ( BehaviorAnalytics | where ActivityType in ("FailedLogOn", "LogOn") | where isnotempty(SourceIPAddress) | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress | project-rename IPAddress = SourceIPAddress | summarize UsersInsights = make_set(UsersInsights, 1000), DevicesInsights = make_set(DevicesInsights, 1000) //IPInvestigationPriority = tostring(InvestigationPriority) by IPAddress, IPInvestigationPriority=InvestigationPriority) on IPAddress | extend UEBARiskScore = IPInvestigationPriority | where UEBARiskScore > riskScoreCutoff | sort by UEBARiskScore descImport yaml from Github to Sentinel
Does anyone know how to create Sentinel custom alerts for the IOCs from Github repos such as this one? https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_mal_drivers.yml I want to import yaml rule but would like to keep it up to date with the Github changes to the rule. MSFT themselves have so many queries in their Github repo, I was wondering whether there's a best way to import/integrate them to MSFT solutions. https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries
SentinelHealth - Analytic Rules failed to run
Hi Community, anyone know what is the so call "TemporaryIssuesDelay" ? Code: TemporaryIssuesDelay Description: The rule's running was delayed due to temporary issues. Microsoft documentation didn't explain much on the error https://learn.microsoft.com/en-us/azure/sentinel/monitor-analytics-rule-integrity
Sentinel Assitance - KQL Query
Hey! Looking for assistance with creating a KQL query that can look at members of approx. 15 dynamic security groups and identify if they have any SharePoint site permissions across a tenant. My assumption is that the query will include a join between IdentityInfo and OfficeActivity but I'm not even sure the information I'm looking for will be in the OfficeActivity table. Thanks, Brandon
