Azure azure_alerts_for_network_layer Mappings

Security Center network-layer analytics are based on sample IPFIX data, which are packet headers collected by Azure core routers. Based on this data feed, Security Center uses machine learning models to identify and flag malicious traffic activities. Security Center also uses the Microsoft Threat Intelligence database to enrich IP addresses.

Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name Notes
azure_alerts_for_network_layer Azure Alerts for Network Layer detect significant T1110 Brute Force
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline. It provides significant detection from most of this technique's sub-techniques and procedure examples resulting in an overall score of Significant.
References
azure_alerts_for_network_layer Azure Alerts for Network Layer detect significant T1110.003 Password Spraying
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.
References
    azure_alerts_for_network_layer Azure Alerts for Network Layer detect significant T1110.001 Password Guessing
    Comments
    This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.
    References
      azure_alerts_for_network_layer Azure Alerts for Network Layer detect significant T1110.004 Credential Stuffing
      Comments
      This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.
      References
        azure_alerts_for_network_layer Azure Alerts for Network Layer detect minimal T1071 Application Layer Protocol
        Comments
        This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on block list.
        References
        azure_alerts_for_network_layer Azure Alerts for Network Layer detect minimal T1071.004 DNS
        Comments
        This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
        References
          azure_alerts_for_network_layer Azure Alerts for Network Layer detect minimal T1071.003 Mail Protocols
          Comments
          This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
          References
            azure_alerts_for_network_layer Azure Alerts for Network Layer detect minimal T1071.002 File Transfer Protocols
            Comments
            This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
            References
              azure_alerts_for_network_layer Azure Alerts for Network Layer detect minimal T1071.001 Web Protocols
              Comments
              This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
              References
                azure_alerts_for_network_layer Azure Alerts for Network Layer detect partial T1133 External Remote Services
                Comments
                This control can potentially identify malicious use of remote services via alerts such as "Suspicious incoming RDP network activity" and "Suspicious Incoming SSH network activity".
                References