Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
'Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access or C2, where attacker tries to exploit the same vulnerability on machines in the organization, but is being blocked by firewall rules. Configurable Parameters: - Minimum of stds threshold - the number of stds to use in the threshold calculation. Default is set to 3. - Learning peri
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Azure Firewall |
| ID | d36bb1e3-5abc-4037-ad9a-24ba3469819e |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | InitialAccess, Exfiltration, CommandAndControl |
| Techniques | T1190, T1041, T1568 |
| Required Connectors | AzureFirewall |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
AZFWApplicationRule |
✓ | ✗ | ? |
AZFWFlowTrace |
✓ | ✗ | ? |
AZFWIdpsSignature |
✓ | ✗ | ? |
AZFWNetworkRule |
✓ | ✗ | ? |
AzureDiagnostics 🔶 |
? | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊