detection.wiki

Detection rules › Kusto Query Language

Excessive number of failed connections from a single source (ASIM Network Session schema)

Source
upstream

'This rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM NetworkSession schema'

MITRE ATT&CK coverage

TacticTechniques
ImpactT1499 Endpoint Denial of Service

Event coverage

ProviderEvent IDTitle
Sysmon3Network connection
Security-Auditing5152The Windows Filtering Platform blocked a packet.
Security-Auditing5154The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Security-Auditing5155The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Security-Auditing5156The Windows Filtering Platform has permitted a connection.
Security-Auditing5157The Windows Filtering Platform has blocked a connection.
Security-Auditing5158The Windows Filtering Platform has permitted a bind to a local port.
Security-Auditing5159The Windows Filtering Platform has blocked a bind to a local port.

Stages and Predicates

Stage 1: source

_Im_NetworkSession

Stage 2: summarize

Stage 3: where

Count gt "threshold"

Stage 4: extend

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Countgt
  • threshold