Home
Mapping Frameworks
Azure Home
Azure Network Traffic Analytics

Azure azure_network_traffic_analytics Mappings

Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud. It can identify security threats to, and secure your network, with information such as open-ports, applications attempting internet access, and virtual machines (VM) connecting to rogue networks.

Mappings

Capability ID	Capability Description	Category	Value	ATT&CK ID	ATT&CK Name	Notes
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1199	Trusted Relationship	Comments This control can be used to gain insight into normal traffic from trusted third parties which can then be used to detect anomalous traffic that may be indicative of a threat. References https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1602	Data from Configuration Repository	Comments This control can identify anomalous traffic with respect to configuration repositories or identified configuration management ports. References https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1602.001	SNMP (MIB Dump)
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1602.002	Network Device Configuration Dump
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	minimal	T1542	Pre-OS Boot	Comments This control can identify anomalous traffic related to one of its sub-techniques (TFTP boot). References https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1542.005	TFTP Boot	Comments This control can be used to identify anomalous TFTP boot traffic. References
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1563	Remote Service Session Hijacking	Comments This control can be used to identify anomalous traffic related to RDP and SSH sessions or blocked attempts to access these management ports. References https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1563.002	RDP Hijacking
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1563.001	SSH Hijacking
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1048	Exfiltration Over Alternative Protocol	Comments This control can detect anomalous traffic with respect to specific protocols/ports. References https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Comments This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption). References
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1048.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Comments This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption). References
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1048.001	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Comments This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption). References
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1190	Exploit Public-Facing Application	Comments This control can detect anomalous traffic to and from externally facing systems with respect to network security group (NSG) policy. References https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1021	Remote Services	Comments This control can detect anomalous traffic or attempts related to network security group (NSG) for remote services. References https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1021.006	Windows Remote Management	Comments This control can detect anomalous traffic with respect to remote access protocols and groups. References
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1021.005	VNC	Comments This control can detect anomalous traffic with respect to remote access protocols and groups. References
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1021.004	SSH	Comments This control can detect anomalous traffic with respect to remote access protocols and groups. References
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1021.002	SMB/Windows Admin Shares	Comments This control can detect anomalous traffic with respect to remote access protocols and groups. References
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1021.001	Remote Desktop Protocol	Comments This control can detect anomalous traffic with respect to remote access protocols and groups. References
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1021.003	Distributed Component Object Model	Comments This control can detect anomalous traffic with respect to remote access protocols and groups. References
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1072	Software Deployment Tools	Comments This control can detect anomalous traffic with respect to critical systems and software deployment ports. References https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1133	External Remote Services	Comments This control can identify anomalous access to external remote services. References https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	significant	T1046	Network Service Scanning	Comments This control can detect network service scanning/discovery activity. References https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	significant	T1571	Non-Standard Port	Comments This control can identify anomalous traffic that utilizes non-standard application ports. References https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1071	Application Layer Protocol	Comments This control can identify anomalous traffic with respect to NSG and application layer protocols. References https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1071.004	DNS	Comments This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful). References
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1071.003	Mail Protocols	Comments This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful). References
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1071.002	File Transfer Protocols	Comments This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful). References
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1499	Endpoint Denial of Service	Comments This control can identify volumetric and multi-sourced denial-of-service attacks. References https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1499.003	Application Exhaustion Flood
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1499.002	Service Exhaustion Flood
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1499.001	OS Exhaustion Flood
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1090	Proxy	Comments This control can detect anomalous traffic between systems and external networks. References https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1090.003	Multi-hop Proxy
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1090.002	External Proxy
azure_network_traffic_analytics	Azure Network Traffic Analytics	detect	partial	T1090.001	Internal Proxy