Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ubiquiti - Possible connection to cryptominning pool

Back
Id7feb3c32-2a11-4eb8-a2d7-e3792b31cb80
RulenameUbiquiti - Possible connection to cryptominning pool
DescriptionDetects connections which may indicate that device is infected with cryptominer.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
T1095
T1571
Required data connectorsCustomLogsAma
UbiquitiUnifi
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml
Version1.0.1
Arm template7feb3c32-2a11-4eb8-a2d7-e3792b31cb80.json
Deploy To Azure
let susp_dst_ports = dynamic(['14433', '14444', '3333', '3334', '3335', '3336', '4444', '45560', '45700', '5555', '5556', '6666', '7777', '8788', '8888', '8899', '9999', '10034']);
UbiquitiAuditEvent
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstPortNumber in (susp_dst_ports)  or (DnsQuery contains 'pool' and DnsQuery contains 'xmr')
| extend IPCustomEntity = SrcIpAddr
requiredDataConnectors:
- connectorId: UbiquitiUnifi
  dataTypes:
  - UbiquitiAuditEvent
- connectorId: CustomLogsAma
  dataTypes:
  - Ubiquiti_CL
status: Available
relevantTechniques:
- T1071
- T1095
- T1571
queryFrequency: 1h
id: 7feb3c32-2a11-4eb8-a2d7-e3792b31cb80
name: Ubiquiti - Possible connection to cryptominning pool
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
description: |
    'Detects connections which may indicate that device is infected with cryptominer.'
triggerThreshold: 0
tactics:
- CommandAndControl
query: |
  let susp_dst_ports = dynamic(['14433', '14444', '3333', '3334', '3335', '3336', '4444', '45560', '45700', '5555', '5556', '6666', '7777', '8788', '8888', '8899', '9999', '10034']);
  UbiquitiAuditEvent
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where DstPortNumber in (susp_dst_ports)  or (DnsQuery contains 'pool' and DnsQuery contains 'xmr')
  | extend IPCustomEntity = SrcIpAddr  
kind: Scheduled
triggerOperator: gt
version: 1.0.1
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7feb3c32-2a11-4eb8-a2d7-e3792b31cb80')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7feb3c32-2a11-4eb8-a2d7-e3792b31cb80')]",
      "properties": {
        "alertRuleTemplateName": "7feb3c32-2a11-4eb8-a2d7-e3792b31cb80",
        "customDetails": null,
        "description": "'Detects connections which may indicate that device is infected with cryptominer.'\n",
        "displayName": "Ubiquiti - Possible connection to cryptominning pool",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml",
        "query": "let susp_dst_ports = dynamic(['14433', '14444', '3333', '3334', '3335', '3336', '4444', '45560', '45700', '5555', '5556', '6666', '7777', '8788', '8888', '8899', '9999', '10034']);\nUbiquitiAuditEvent\n| where ipv4_is_private(SrcIpAddr)\n| where ipv4_is_private(DstIpAddr) == 'False'\n| where DstPortNumber in (susp_dst_ports)  or (DnsQuery contains 'pool' and DnsQuery contains 'xmr')\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071",
          "T1095",
          "T1571"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}