Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Identifies communication for well known protocol over a non-standard port based on learning period activity. This can indicate malicious communication (C2) or exfiltration by attackers trying to communicate over known ports (22:SSH, 80:HTTP) but dont use the known protocol headers to match the port number. Configurable Parameters: - Learning period time - learning period for protocol learning in days. Default is set to 7.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Azure Firewall |
| ID | 826f930c-2f25-4508-8e75-a95b809a4e15 |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | Exfiltration, CommandAndControl |
| Techniques | T1041, T1571 |
| Required Connectors | AzureFirewall |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
AZFWApplicationRule |
✓ | ✗ | ? |
AZFWNetworkRule |
✓ | ✗ | ? |
AzureDiagnostics 🔶 |
? | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊