This repository has been archived by the owner on Apr 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 63
/
AzureTrafficAnalytics.yaml
208 lines (208 loc) · 7.33 KB
/
AzureTrafficAnalytics.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
version: 1
ATT&CK version: 8.2
creation date: 03/22/2021
name: Azure Network Traffic Analytics
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: Azure
tags:
- Analytics
- Network
description: >-
Traffic Analytics is a cloud-based solution that provides visibility into user and application
activity in cloud networks. Traffic analytics analyzes Network Watcher network security group
(NSG) flow logs to provide insights into traffic flow in your Azure cloud. It can identify security
threats to, and secure your network, with information such as open-ports, applications attempting
internet access, and virtual machines (VM) connecting to rogue networks.
techniques:
- id: T1199
name: Trusted Relationship
technique-scores:
- category: Detect
value: Partial
comments: >-
This control can be used to gain insight into normal traffic from trusted third parties which can
then be used to detect anomalous traffic that may be indicative of a threat.
- id: T1602
name: Data from Configuration Repository
technique-scores:
- category: Detect
value: Partial
comments: >-
This control can identify anomalous traffic with respect to configuration repositories or identified
configuration management ports.
sub-techniques-scores:
- sub-techniques:
- id: T1602.001
name: SNMP (MIB Dump)
- id: T1602.002
name: Network Device Configuration Dump
scores:
- category: Detect
value: Partial
- id: T1542
name: Pre-OS Boot
technique-scores:
- category: Detect
value: Minimal
comments: This control can identify anomalous traffic related to one of its sub-techniques (TFTP boot).
sub-techniques-scores:
- sub-techniques:
- id: T1542.005
name: TFTP Boot
scores:
- category: Detect
value: Partial
comments: This control can be used to identify anomalous TFTP boot traffic.
- id: T1563
name: Remote Service Session Hijacking
technique-scores:
- category: Detect
value: Partial
comments: >-
This control can be used to identify anomalous traffic related to RDP and SSH sessions or
blocked attempts to access these management ports.
sub-techniques-scores:
- sub-techniques:
- id: T1563.002
name: RDP Hijacking
- id: T1563.001
name: SSH Hijacking
scores:
- category: Detect
value: Partial
- id: T1048
name: Exfiltration Over Alternative Protocol
technique-scores:
- category: Detect
value: Partial
comments: This control can detect anomalous traffic with respect to specific protocols/ports.
sub-techniques-scores:
- sub-techniques:
- id: T1048.003
name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
- id: T1048.002
name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
- id: T1048.001
name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
scores:
- category: Detect
value: Partial
comments: >-
This control can identify anomalous traffic with respect specific ports
(though it can't identify presence or lack of encryption).
- id: T1190
name: Exploit Public-Facing Application
technique-scores:
- category: Detect
value: Partial
comments: >-
This control can detect anomalous traffic to and from externally facing systems with respect to network
security group (NSG) policy.
- id: T1021
name: Remote Services
technique-scores:
- category: Detect
value: Partial
comments: >-
This control can detect anomalous traffic or attempts related to network security group (NSG) for
remote services.
sub-techniques-scores:
- sub-techniques:
- id: T1021.006
name: Windows Remote Management
- id: T1021.005
name: VNC
- id: T1021.004
name: SSH
- id: T1021.002
name: SMB/Windows Admin Shares
- id: T1021.001
name: Remote Desktop Protocol
- id: T1021.003
name: Distributed Component Object Model
scores:
- category: Detect
value: Partial
comments: This control can detect anomalous traffic with respect to remote access protocols and groups.
- id: T1072
name: Software Deployment Tools
technique-scores:
- category: Detect
value: Partial
comments: >-
This control can detect anomalous traffic with respect to critical systems and software deployment ports.
- id: T1133
name: External Remote Services
technique-scores:
- category: Detect
value: Partial
comments: This control can identify anomalous access to external remote services.
- id: T1046
name: Network Service Scanning
technique-scores:
- category: Detect
value: Significant
comments: This control can detect network service scanning/discovery activity.
- id: T1571
name: Non-Standard Port
technique-scores:
- category: Detect
value: Significant
comments: This control can identify anomalous traffic that utilizes non-standard application ports.
- id: T1071
name: Application Layer Protocol
technique-scores:
- category: Detect
value: Partial
comments: This control can identify anomalous traffic with respect to NSG and application layer protocols.
sub-techniques-scores:
- sub-techniques:
- id: T1071.004
name: DNS
- id: T1071.003
name: Mail Protocols
- id: T1071.002
name: File Transfer Protocols
scores:
- category: Detect
value: Partial
comments: >-
This control can detect anomalous application protocol traffic with respect to network security group (NSG)
(though web traffic would be typically too commonplace for this control to be useful).
- id: T1499
name: Endpoint Denial of Service
technique-scores:
- category: Detect
value: Partial
comments: This control can identify volumetric and multi-sourced denial-of-service attacks.
sub-techniques-scores:
- sub-techniques:
- id: T1499.003
name: Application Exhaustion Flood
- id: T1499.002
name: Service Exhaustion Flood
- id: T1499.001
name: OS Exhaustion Flood
scores:
- category: Detect
value: Partial
- id: T1090
name: Proxy
technique-scores:
- category: Detect
value: Partial
comments: This control can detect anomalous traffic between systems and external networks.
sub-techniques-scores:
- sub-techniques:
- id: T1090.003
name: Multi-hop Proxy
- id: T1090.002
name: External Proxy
- id: T1090.001
name: Internal Proxy
scores:
- category: Detect
value: Partial
references:
- 'https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics'