Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ubiquiti - Large ICMP to external server

Back
Id6df85d74-e32f-4b71-80e5-bfe2af00be1c
RulenameUbiquiti - Large ICMP to external server
DescriptionDetects large ICMP packets to external host.
SeverityMedium
TacticsExfiltration
CommandAndControl
TechniquesT1041
T1572
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RLargeIcmp.yaml
Version1.0.2
Arm template6df85d74-e32f-4b71-80e5-bfe2af00be1c.json
Deploy To Azure
UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where NetworkProtocol =~ 'ICMP'
| summarize avg_packet_length = avg(toint(NetworkBytes))
| extend a = 1
| join (UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where NetworkProtocol =~ 'ICMP'
  | extend a = 1) on a
| where toint(NetworkBytes) > 2*avg_packet_length
| extend IPCustomEntity = SrcIpAddr
description: |
    'Detects large ICMP packets to external host.'
version: 1.0.2
tactics:
- Exfiltration
- CommandAndControl
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
queryFrequency: 1h
triggerThreshold: 0
query: |
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where NetworkProtocol =~ 'ICMP'
  | summarize avg_packet_length = avg(toint(NetworkBytes))
  | extend a = 1
  | join (UbiquitiAuditEvent
    | where EventCategory =~ 'firewall'
    | where ipv4_is_private(SrcIpAddr)
    | where ipv4_is_private(DstIpAddr) == 'False'
    | where NetworkProtocol =~ 'ICMP'
    | extend a = 1) on a
  | where toint(NetworkBytes) > 2*avg_packet_length
  | extend IPCustomEntity = SrcIpAddr  
triggerOperator: gt
status: Available
relevantTechniques:
- T1041
- T1572
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RLargeIcmp.yaml
queryPeriod: 14d
id: 6df85d74-e32f-4b71-80e5-bfe2af00be1c
name: Ubiquiti - Large ICMP to external server
kind: Scheduled
requiredDataConnectors:
- connectorId: CustomLogsAma
  dataTypes:
  - Ubiquiti_CL
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6df85d74-e32f-4b71-80e5-bfe2af00be1c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6df85d74-e32f-4b71-80e5-bfe2af00be1c')]",
      "properties": {
        "alertRuleTemplateName": "6df85d74-e32f-4b71-80e5-bfe2af00be1c",
        "customDetails": null,
        "description": "'Detects large ICMP packets to external host.'\n",
        "displayName": "Ubiquiti - Large ICMP to external server",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RLargeIcmp.yaml",
        "query": "UbiquitiAuditEvent\n| where EventCategory =~ 'firewall'\n| where ipv4_is_private(SrcIpAddr)\n| where ipv4_is_private(DstIpAddr) == 'False'\n| where NetworkProtocol =~ 'ICMP'\n| summarize avg_packet_length = avg(toint(NetworkBytes))\n| extend a = 1\n| join (UbiquitiAuditEvent\n  | where EventCategory =~ 'firewall'\n  | where ipv4_is_private(SrcIpAddr)\n  | where ipv4_is_private(DstIpAddr) == 'False'\n  | where NetworkProtocol =~ 'ICMP'\n  | extend a = 1) on a\n| where toint(NetworkBytes) > 2*avg_packet_length\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration"
        ],
        "techniques": [
          "T1041",
          "T1572"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}