This alert triggers whenever an incoming connection over ports 22 or 3389 is accepted. Port 22 is one of several tunneling protocols used to build secure network connections. Port 3389 enables users to connect to their desktop computers from another device remotely. Impact IF these ports are open to the internet for anyone to access, threat actors can exploit any vulnerabilities associated with them to gain remote access to a host present inside a network, and they can further increase their attack surface. Mitigation Close these ports to the internet (external network) if there is no business purpose. In case that is not possible, block the incoming malicious IPs on the firewall. For the successful connections that were accepted, investigate for any malicious activities on the relevant machines. MITRE Tactic: TA0008 MITRE Technique: T1021

This rule detects if there are no logs in the last 4 hours for Azure Virtual Network in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

This alert triggers whenever an IP address sends a high number of ICMP ping requests within a short interval of time to hosts within a Virtual Network. Impact Allowing unrestricted inbound/ingress ICMP access to your Virtual network can increase opportunities for malicious activities such as Denial-of-Service (DoS) attacks, Smurf and Fraggle attacks. Mitigation Validate if the incoming requests are legitimate. If there is no business requirement, restrict the ICMP inbound from the internet in the security group rules. If needed, block the source IP in your Azure environment. MITRE Tactic: TA0043 MITRE Technique: T1595

This alert triggers whenever an internal IP address initiates and establishes a communication with either another internal IP or an external IP which is malicious in nature with the condition that this communication was not seen before in the last 1 month. Impact A communication of this nature can indicate that a new asset was added to the network or the communication between the 2 internal hosts is not usual and could be a suspicious activity. Also, the communication with a malicious external IP could indicate that the host is infected and is performing malicious activities. Mitigation In the case of the internal destination host, check if the host is legitimate and is known to the network administrators. In case of an external malicious destination host, block the IP on the firewall and investigate further for any malicious activities in the network. MITRE Tactic: TA0010 MITRE Technique: T1041

This alert triggers DNS-related traffic originating from a local IP on a destination port 53 over any protocol other than the standard UDP protocol. Impact DNS traffic over any protocol other than UDP can indicate malicious activity such as DNS tunneling. Mitigation Check for the reputation of the destination address to identify if it is associated with any known malicious activity. If needed, run a full scan on the machine with the available EDR/AV solutions to make sure there is no malicious software running on it. If needed, further investigate according to company policies. MITRE Tactic: TA0011 MITRE Technique: T1071