Ubiquiti - SSH from external source

Back


Id	0998a19d-8451-4cdd-8493-fc342816a197
Rulename	Ubiquiti - SSH from external source
Description	Detects remote to local (R2L) SSH connection to internal host.
Severity	Medium
Tactics	InitialAccess
Techniques	T1133
Required data connectors	CustomLogsAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml
Version	1.0.2
Arm template	0998a19d-8451-4cdd-8493-fc342816a197.json

KQL

UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr) == 'False'
| where ipv4_is_private(DstIpAddr)
| where DstPortNumber == '22'
| extend IPCustomEntity = DstIpAddr

YAML

id: 0998a19d-8451-4cdd-8493-fc342816a197
tactics:
- InitialAccess
queryPeriod: 1h
triggerThreshold: 0
name: Ubiquiti - SSH from external source
query: |
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr) == 'False'
  | where ipv4_is_private(DstIpAddr)
  | where DstPortNumber == '22'
  | extend IPCustomEntity = DstIpAddr  
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1133
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: CustomLogsAma
  dataTypes:
  - Ubiquiti_CL
description: |
    'Detects remote to local (R2L) SSH connection to internal host.'
status: Available
version: 1.0.2
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0998a19d-8451-4cdd-8493-fc342816a197')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0998a19d-8451-4cdd-8493-fc342816a197')]",
      "properties": {
        "alertRuleTemplateName": "0998a19d-8451-4cdd-8493-fc342816a197",
        "customDetails": null,
        "description": "'Detects remote to local (R2L) SSH connection to internal host.'\n",
        "displayName": "Ubiquiti - SSH from external source",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml",
        "query": "UbiquitiAuditEvent\n| where EventCategory =~ 'firewall'\n| where ipv4_is_private(SrcIpAddr) == 'False'\n| where ipv4_is_private(DstIpAddr)\n| where DstPortNumber == '22'\n| extend IPCustomEntity = DstIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}