Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Ubiquiti - SSH from external source

Ubiquiti - SSH from external source

Back
Id0998a19d-8451-4cdd-8493-fc342816a197
RulenameUbiquiti - SSH from external source
DescriptionDetects remote to local (R2L) SSH connection to internal host.
SeverityMedium
TacticsInitialAccess
TechniquesT1133
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml
Version1.0.2
Arm template0998a19d-8451-4cdd-8493-fc342816a197.json
Deploy To Azure
UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr) == 'False'
| where ipv4_is_private(DstIpAddr)
| where DstPortNumber == '22'
| extend IPCustomEntity = DstIpAddr

relevantTechniques:
- T1133
name: Ubiquiti - SSH from external source
queryFrequency: 1h
version: 1.0.2
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- connectorId: CustomLogsAma
  dataTypes:
  - Ubiquiti_CL
tactics:
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml
query: |
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr) == 'False'
  | where ipv4_is_private(DstIpAddr)
  | where DstPortNumber == '22'
  | extend IPCustomEntity = DstIpAddr  
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
queryPeriod: 1h
triggerOperator: gt
id: 0998a19d-8451-4cdd-8493-fc342816a197
status: Available
description: |
    'Detects remote to local (R2L) SSH connection to internal host.'