Ubiquiti - Large ICMP to external server

UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where NetworkProtocol =~ 'ICMP'
| summarize avg_packet_length = avg(toint(NetworkBytes))
| extend a = 1
| join (UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where NetworkProtocol =~ 'ICMP'
  | extend a = 1) on a
| where toint(NetworkBytes) > 2*avg_packet_length
| extend IPCustomEntity = SrcIpAddr

queryPeriod: 14d
query: |
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where NetworkProtocol =~ 'ICMP'
  | summarize avg_packet_length = avg(toint(NetworkBytes))
  | extend a = 1
  | join (UbiquitiAuditEvent
    | where EventCategory =~ 'firewall'
    | where ipv4_is_private(SrcIpAddr)
    | where ipv4_is_private(DstIpAddr) == 'False'
    | where NetworkProtocol =~ 'ICMP'
    | extend a = 1) on a
  | where toint(NetworkBytes) > 2*avg_packet_length
  | extend IPCustomEntity = SrcIpAddr  
name: Ubiquiti - Large ICMP to external server
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RLargeIcmp.yaml
requiredDataConnectors:
- connectorId: CustomLogsAma
  dataTypes:
  - Ubiquiti_CL
description: |
    'Detects large ICMP packets to external host.'
kind: Scheduled
version: 1.0.2
status: Available
severity: Medium
relevantTechniques:
- T1041
- T1572
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
- CommandAndControl
id: 6df85d74-e32f-4b71-80e5-bfe2af00be1c