Skip to main content
Question

UEBA - Base Line Profiling Rules

  • November 19, 2025
  • 1 reply
  • 28 views
Aj_Detection
Forum|alt.badge.img+3

Hi All 

Am getting  error “unsupported metric function name NETWORK_CONNECTIONS_SUCCESS” 

 

rule ueba_first_time_outbound_rare_port {

  meta:

    rule_name = "First Time Outbound Traffic to Rare Destination Port"

    description = "Detects the first time outbound traffic is observed to a destination port that has not been seen in the last 30 days. This may indicate anomalous exfiltration, C2 activity, or tunneling."

    severity = "Medium"

    tactic = "TA0011"  // Command and Control

    technique = "T1571" // Non-Standard Port

 

  events:

    // Firewall event

    $e.metadata.log_type = "SOPHOS_FIREWALL"

    $e.metadata.event_type = "NETWORK_CONNECTION"

 

   // Outbound direction only

   // $dir = $e.network.direction

    //$dir = "OUTBOUND"

    //Using below query since direction field is not available in Sophos Firewall

    not net.ip_in_range_cidr($e.target.ip, "127.0.0.1/32")

    not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")

    not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")

    not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16") //Home/office network(own laptop,printer,internal servers)

    not net.ip_in_range_cidr($e.target.ip, "127.0.0./8") //Loopback (own computer talking to itself)

    not net.ip_in_range_cidr($e.target.ip, "169.254.0.0/16") // Auto-assigned IP when a device can't get a real IP (DHCP failed)

   

    // Destination port must exist and be non-zero

    $dst_port = $e.target.port

    $dst_port > 0

 

    // Capture namespaces (for uniqueness across tenants/domains)

    $src_ip = $e.principal.ip

    $dst_ip = $e.target.ip

 

    //  Only for allowed or permitted traffic

    $e.security_result.action = "ALLOW"

 

  match:

       $src_ip, $dst_ip, $dst_port over 48h

 

  outcome:

    $risk_score = 50

    $event_count = count_distinct($e.metadata.id)

 

    // Baseline metric: has this destination port ever been seen in the last 30 days?

    $historical_threshold = max(metrics.network_connections_success(

        period:1d, window:30d,

        metric:first_seen, agg:min,

        target.port:$dst_port,

        principal.namespace:$src_ip,

        target.namespace:$dst_ip))

 

    // Metadata for enrichment

    $principal_ns = array_distinct($src_ip)

    $target_ns = array_distinct($dst_ip)

    $destination_port = array_distinct($dst_port)

    //$vendor_name = array_distinct($e.metadata.vendor_name)

    //$product_name = array_distinct($e.metadata.product_name)

 

    // Earliest event

    $result_time = min($e.metadata.event_timestamp.seconds)

 

    // Derive textual result (attempted/succeeded) consistent with your style

    $tmp1 = max(

      if($e.security_result.action != "BLOCK" and $e.security_result.action != "UNKNOWN_ACTION", 2)

    )

    $tmp2 = max(

      if($e.security_result.action = "BLOCK", 1)

    )

    $result = arrays.index_to_str(strings.split("attempted,failed,succeeded,succeeded"), $tmp1 + $tmp2)

 

  condition:

    // Alert only if this outbound destination port has NEVER been seen before in baseline

    $e and ($historical_threshold = 0)

 

  options:

    allow_zero_values = true

}

Regards

Ajay P

 

1 reply

Aj_Detection
Forum|alt.badge.img+3
  • Aj_DetectionBronze 1
  • Author
  • Bronze 1
  • November 19, 2025

Seems firewall will have high cardinality of ports and IP’s. So metric family is not available for it. We need to use the state table. 

But state table wont work for detecting the IP+Rare ports

 

Regard

Ajay P

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.