Home
Mapping Frameworks
Azure Home
Azure Alerts for Network Layer

Azure azure_alerts_for_network_layer Mappings

Security Center network-layer analytics are based on sample IPFIX data, which are packet headers collected by Azure core routers. Based on this data feed, Security Center uses machine learning models to identify and flag malicious traffic activities. Security Center also uses the Microsoft Threat Intelligence database to enrich IP addresses.

Mappings

Capability ID	Capability Description	Category	Value	ATT&CK ID	ATT&CK Name	Notes
azure_alerts_for_network_layer	Azure Alerts for Network Layer	detect	significant	T1110	Brute Force	Comments This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline. It provides significant detection from most of this technique's sub-techniques and procedure examples resulting in an overall score of Significant. References https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer
azure_alerts_for_network_layer	Azure Alerts for Network Layer	detect	significant	T1110.003	Password Spraying	Comments This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline. References
azure_alerts_for_network_layer	Azure Alerts for Network Layer	detect	significant	T1110.001	Password Guessing	Comments This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline. References
azure_alerts_for_network_layer	Azure Alerts for Network Layer	detect	significant	T1110.004	Credential Stuffing	Comments This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline. References
azure_alerts_for_network_layer	Azure Alerts for Network Layer	detect	minimal	T1071	Application Layer Protocol	Comments This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on block list. References https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer
azure_alerts_for_network_layer	Azure Alerts for Network Layer	detect	minimal	T1071.004	DNS	Comments This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. References
azure_alerts_for_network_layer	Azure Alerts for Network Layer	detect	minimal	T1071.003	Mail Protocols	Comments This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. References
azure_alerts_for_network_layer	Azure Alerts for Network Layer	detect	minimal	T1071.002	File Transfer Protocols	Comments This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. References
azure_alerts_for_network_layer	Azure Alerts for Network Layer	detect	minimal	T1071.001	Web Protocols	Comments This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list. References
azure_alerts_for_network_layer	Azure Alerts for Network Layer	detect	partial	T1133	External Remote Services	Comments This control can potentially identify malicious use of remote services via alerts such as "Suspicious incoming RDP network activity" and "Suspicious Incoming SSH network activity". References https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-azurenetlayer