Ubiquiti - Large ICMP to external server

UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where NetworkProtocol =~ 'ICMP'
| summarize avg_packet_length = avg(toint(NetworkBytes))
| extend a = 1
| join (UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where NetworkProtocol =~ 'ICMP'
  | extend a = 1) on a
| where toint(NetworkBytes) > 2*avg_packet_length
| extend IPCustomEntity = SrcIpAddr

status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RLargeIcmp.yaml
query: |
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where NetworkProtocol =~ 'ICMP'
  | summarize avg_packet_length = avg(toint(NetworkBytes))
  | extend a = 1
  | join (UbiquitiAuditEvent
    | where EventCategory =~ 'firewall'
    | where ipv4_is_private(SrcIpAddr)
    | where ipv4_is_private(DstIpAddr) == 'False'
    | where NetworkProtocol =~ 'ICMP'
    | extend a = 1) on a
  | where toint(NetworkBytes) > 2*avg_packet_length
  | extend IPCustomEntity = SrcIpAddr  
requiredDataConnectors:
- dataTypes:
  - Ubiquiti_CL
  connectorId: CustomLogsAma
tactics:
- Exfiltration
- CommandAndControl
name: Ubiquiti - Large ICMP to external server
relevantTechniques:
- T1041
- T1572
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
kind: Scheduled
queryFrequency: 1h
description: |
    'Detects large ICMP packets to external host.'
triggerThreshold: 0
triggerOperator: gt
version: 1.0.2
queryPeriod: 14d
id: 6df85d74-e32f-4b71-80e5-bfe2af00be1c