Bitglass - Suspicious file uploads

Back


Id	4b272e82-19f1-40d1-bfdf-74fbb6353e8b
Rulename	Bitglass - Suspicious file uploads
Description	Detects suspicious file upload activity.
Severity	High
Tactics	Exfiltration
Techniques	T1567
Required data connectors	Bitglass
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassSuspiciousFileUpload.yaml
Version	1.0.1
Arm template	4b272e82-19f1-40d1-bfdf-74fbb6353e8b.json

KQL

Bitglass
| where EventType =~ 'swgwebdlp'
| where HttpRequestMethod =~ 'POST'
| where isnotempty(DlpPattern)
| summarize count() by User, bin(TimeGenerated, 15m)
| where count_ > 1
| extend AccountCustomEntity = User

YAML

triggerOperator: gt
queryFrequency: 1h
requiredDataConnectors:
- connectorId: Bitglass
  dataTypes:
  - Bitglass
relevantTechniques:
- T1567
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
query: |
  Bitglass
  | where EventType =~ 'swgwebdlp'
  | where HttpRequestMethod =~ 'POST'
  | where isnotempty(DlpPattern)
  | summarize count() by User, bin(TimeGenerated, 15m)
  | where count_ > 1
  | extend AccountCustomEntity = User  
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassSuspiciousFileUpload.yaml
queryPeriod: 1h
name: Bitglass - Suspicious file uploads
status: Available
kind: Scheduled
description: |
    'Detects suspicious file upload activity.'
id: 4b272e82-19f1-40d1-bfdf-74fbb6353e8b
version: 1.0.1
tactics:
- Exfiltration
severity: High

ARM