Ubiquiti - SSH from external source

Back


Id	0998a19d-8451-4cdd-8493-fc342816a197
Rulename	Ubiquiti - SSH from external source
Description	Detects remote to local (R2L) SSH connection to internal host.
Severity	Medium
Tactics	InitialAccess
Techniques	T1133
Required data connectors	CustomLogsAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml
Version	1.0.2
Arm template	0998a19d-8451-4cdd-8493-fc342816a197.json

KQL

UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr) == 'False'
| where ipv4_is_private(DstIpAddr)
| where DstPortNumber == '22'
| extend IPCustomEntity = DstIpAddr

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml
query: |
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr) == 'False'
  | where ipv4_is_private(DstIpAddr)
  | where DstPortNumber == '22'
  | extend IPCustomEntity = DstIpAddr  
description: |
    'Detects remote to local (R2L) SSH connection to internal host.'
severity: Medium
requiredDataConnectors:
- dataTypes:
  - Ubiquiti_CL
  connectorId: CustomLogsAma
name: Ubiquiti - SSH from external source
triggerThreshold: 0
tactics:
- InitialAccess
version: 1.0.2
relevantTechniques:
- T1133
triggerOperator: gt
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
id: 0998a19d-8451-4cdd-8493-fc342816a197
status: Available
kind: Scheduled
queryFrequency: 1h
queryPeriod: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0998a19d-8451-4cdd-8493-fc342816a197')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0998a19d-8451-4cdd-8493-fc342816a197')]",
      "properties": {
        "alertRuleTemplateName": "0998a19d-8451-4cdd-8493-fc342816a197",
        "customDetails": null,
        "description": "'Detects remote to local (R2L) SSH connection to internal host.'\n",
        "displayName": "Ubiquiti - SSH from external source",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml",
        "query": "UbiquitiAuditEvent\n| where EventCategory =~ 'firewall'\n| where ipv4_is_private(SrcIpAddr) == 'False'\n| where ipv4_is_private(DstIpAddr)\n| where DstPortNumber == '22'\n| extend IPCustomEntity = DstIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}