Update Anomaly in SMB Traffic(ASIM Network Session schema).yaml

Changed the time filter to use built-in function and fixed the description.
Azure · Mar 7, 2024 · 72ae5f3 · 72ae5f3
1 parent 82d8869
commit 72ae5f3
Showing 1 changed file with 5 additions and 7 deletions.
diff --git a/...ession Essentials/Analytic Rules/Anomaly in SMB Traffic(ASIM Network Session schema).yaml b/...ession Essentials/Analytic Rules/Anomaly in SMB Traffic(ASIM Network Session schema).yaml
@@ -1,7 +1,7 @@
 id: 8717e498-7b5d-4e23-9e7c-fa4913dbfd79
 name: Anomaly in SMB Traffic(ASIM Network Session schema)
 description: |
-  'This detection detects abnormal SMB traffic, a file-sharing protocol. By calculating the average and standard deviation of SMB connections over last 14 days, flagging sources exceeding 50 standard deviations.'
+  'This detection detects abnormal SMB traffic, a file-sharing protocol. By calculating the average deviation of SMB connections over last 14 days, flagging sources exceeding 50 standard deviations.'
 severity: Medium
 status: Available 
 tags:
@@ -25,15 +25,13 @@ query: |
   let endtime = 1d;
   // Define the SMB ports to monitor
   let SMBPorts = dynamic(["139", "445"]);
-  // Get the baseline data for user network sessions
-  let userBaseline = _Im_NetworkSession
-    | where TimeGenerated between (ago(starttime)..ago(endtime)) // Filter for the defined time range
+  // Get the baseline data for user network sessions and Filter for the defined time range
+  let userBaseline = _Im_NetworkSession(starttime=ago(starttime), endtime=ago(endtime))
     | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
     | summarize Count = count() by SrcIpAddr, DstPortNumber // Group by source IP and destination port
     | summarize AvgCount = avg(Count) by SrcIpAddr, DstPortNumber; // Calculate the average count
-  // Get the recent user activity data
-  let recentUserActivity = _Im_NetworkSession
-    | where TimeGenerated > ago(endtime) // Filter for recent activity
+  // Get the recent user activity data and Filter for recent activity
+  let recentUserActivity = _Im_NetworkSession(starttime=ago(endtime))
     | where ipv4_is_private(SrcIpAddr) and tostring(DstPortNumber) has_any (SMBPorts) and SrcIpAddr != DstIpAddr // Filter for private IP addresses and SMB ports
     | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by SrcIpAddr, DstPortNumber; // Group by source IP and destination port
   // Join the baseline and recent activity data