Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Ubiquiti - SSH from external source

Ubiquiti - SSH from external source

Back
Id0998a19d-8451-4cdd-8493-fc342816a197
RulenameUbiquiti - SSH from external source
DescriptionDetects remote to local (R2L) SSH connection to internal host.
SeverityMedium
TacticsInitialAccess
TechniquesT1133
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml
Version1.0.2
Arm template0998a19d-8451-4cdd-8493-fc342816a197.json
Deploy To Azure
UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr) == 'False'
| where ipv4_is_private(DstIpAddr)
| where DstPortNumber == '22'
| extend IPCustomEntity = DstIpAddr

id: 0998a19d-8451-4cdd-8493-fc342816a197
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
requiredDataConnectors:
- dataTypes:
  - Ubiquiti_CL
  connectorId: CustomLogsAma
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1133
version: 1.0.2
name: Ubiquiti - SSH from external source
status: Available
description: |
    'Detects remote to local (R2L) SSH connection to internal host.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml
query: |
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr) == 'False'
  | where ipv4_is_private(DstIpAddr)
  | where DstPortNumber == '22'
  | extend IPCustomEntity = DstIpAddr  
queryPeriod: 1h
triggerOperator: gt
kind: Scheduled
queryFrequency: 1h
severity: Medium