Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ubiquiti - Large ICMP to external server

Back
Id6df85d74-e32f-4b71-80e5-bfe2af00be1c
RulenameUbiquiti - Large ICMP to external server
DescriptionDetects large ICMP packets to external host.
SeverityMedium
TacticsExfiltration
CommandAndControl
TechniquesT1041
T1572
Required data connectorsCustomLogsAma
UbiquitiUnifi
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RLargeIcmp.yaml
Version1.0.1
Arm template6df85d74-e32f-4b71-80e5-bfe2af00be1c.json
Deploy To Azure
UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where NetworkProtocol =~ 'ICMP'
| summarize avg_packet_length = avg(toint(NetworkBytes))
| extend a = 1
| join (UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where NetworkProtocol =~ 'ICMP'
  | extend a = 1) on a
| where toint(NetworkBytes) > 2*avg_packet_length
| extend IPCustomEntity = SrcIpAddr
version: 1.0.1
severity: Medium
queryFrequency: 1h
triggerOperator: gt
relevantTechniques:
- T1041
- T1572
status: Available
kind: Scheduled
triggerThreshold: 0
query: |
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where NetworkProtocol =~ 'ICMP'
  | summarize avg_packet_length = avg(toint(NetworkBytes))
  | extend a = 1
  | join (UbiquitiAuditEvent
    | where EventCategory =~ 'firewall'
    | where ipv4_is_private(SrcIpAddr)
    | where ipv4_is_private(DstIpAddr) == 'False'
    | where NetworkProtocol =~ 'ICMP'
    | extend a = 1) on a
  | where toint(NetworkBytes) > 2*avg_packet_length
  | extend IPCustomEntity = SrcIpAddr  
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
name: Ubiquiti - Large ICMP to external server
queryPeriod: 14d
description: |
    'Detects large ICMP packets to external host.'
requiredDataConnectors:
- dataTypes:
  - UbiquitiAuditEvent
  connectorId: UbiquitiUnifi
- dataTypes:
  - Ubiquiti_CL
  connectorId: CustomLogsAma
id: 6df85d74-e32f-4b71-80e5-bfe2af00be1c
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RLargeIcmp.yaml
tactics:
- Exfiltration
- CommandAndControl
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6df85d74-e32f-4b71-80e5-bfe2af00be1c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6df85d74-e32f-4b71-80e5-bfe2af00be1c')]",
      "properties": {
        "alertRuleTemplateName": "6df85d74-e32f-4b71-80e5-bfe2af00be1c",
        "customDetails": null,
        "description": "'Detects large ICMP packets to external host.'\n",
        "displayName": "Ubiquiti - Large ICMP to external server",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RLargeIcmp.yaml",
        "query": "UbiquitiAuditEvent\n| where EventCategory =~ 'firewall'\n| where ipv4_is_private(SrcIpAddr)\n| where ipv4_is_private(DstIpAddr) == 'False'\n| where NetworkProtocol =~ 'ICMP'\n| summarize avg_packet_length = avg(toint(NetworkBytes))\n| extend a = 1\n| join (UbiquitiAuditEvent\n  | where EventCategory =~ 'firewall'\n  | where ipv4_is_private(SrcIpAddr)\n  | where ipv4_is_private(DstIpAddr) == 'False'\n  | where NetworkProtocol =~ 'ICMP'\n  | extend a = 1) on a\n| where toint(NetworkBytes) > 2*avg_packet_length\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration"
        ],
        "techniques": [
          "T1041",
          "T1572"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}