Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ubiquiti - SSH from external source

Back
Id0998a19d-8451-4cdd-8493-fc342816a197
RulenameUbiquiti - SSH from external source
DescriptionDetects remote to local (R2L) SSH connection to internal host.
SeverityMedium
TacticsInitialAccess
TechniquesT1133
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml
Version1.0.2
Arm template0998a19d-8451-4cdd-8493-fc342816a197.json
Deploy To Azure
UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr) == 'False'
| where ipv4_is_private(DstIpAddr)
| where DstPortNumber == '22'
| extend IPCustomEntity = DstIpAddr
status: Available
relevantTechniques:
- T1133
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml
triggerOperator: gt
id: 0998a19d-8451-4cdd-8493-fc342816a197
description: |
    'Detects remote to local (R2L) SSH connection to internal host.'
queryPeriod: 1h
kind: Scheduled
requiredDataConnectors:
- dataTypes:
  - Ubiquiti_CL
  connectorId: CustomLogsAma
triggerThreshold: 0
name: Ubiquiti - SSH from external source
tactics:
- InitialAccess
version: 1.0.2
severity: Medium
query: |
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr) == 'False'
  | where ipv4_is_private(DstIpAddr)
  | where DstPortNumber == '22'
  | extend IPCustomEntity = DstIpAddr  
queryFrequency: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0998a19d-8451-4cdd-8493-fc342816a197')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0998a19d-8451-4cdd-8493-fc342816a197')]",
      "properties": {
        "alertRuleTemplateName": "0998a19d-8451-4cdd-8493-fc342816a197",
        "customDetails": null,
        "description": "'Detects remote to local (R2L) SSH connection to internal host.'\n",
        "displayName": "Ubiquiti - SSH from external source",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml",
        "query": "UbiquitiAuditEvent\n| where EventCategory =~ 'firewall'\n| where ipv4_is_private(SrcIpAddr) == 'False'\n| where ipv4_is_private(DstIpAddr)\n| where DstPortNumber == '22'\n| extend IPCustomEntity = DstIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}