Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ubiquiti - Possible connection to cryptominning pool

Back
Id7feb3c32-2a11-4eb8-a2d7-e3792b31cb80
RulenameUbiquiti - Possible connection to cryptominning pool
DescriptionDetects connections which may indicate that device is infected with cryptominer.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
T1095
T1571
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml
Version1.0.2
Arm template7feb3c32-2a11-4eb8-a2d7-e3792b31cb80.json
Deploy To Azure
let susp_dst_ports = dynamic(['14433', '14444', '3333', '3334', '3335', '3336', '4444', '45560', '45700', '5555', '5556', '6666', '7777', '8788', '8888', '8899', '9999', '10034']);
UbiquitiAuditEvent
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstPortNumber in (susp_dst_ports)  or (DnsQuery contains 'pool' and DnsQuery contains 'xmr')
| extend IPCustomEntity = SrcIpAddr
kind: Scheduled
status: Available
requiredDataConnectors:
- dataTypes:
  - Ubiquiti_CL
  connectorId: CustomLogsAma
queryFrequency: 1h
version: 1.0.2
id: 7feb3c32-2a11-4eb8-a2d7-e3792b31cb80
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml
relevantTechniques:
- T1071
- T1095
- T1571
query: |
  let susp_dst_ports = dynamic(['14433', '14444', '3333', '3334', '3335', '3336', '4444', '45560', '45700', '5555', '5556', '6666', '7777', '8788', '8888', '8899', '9999', '10034']);
  UbiquitiAuditEvent
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where DstPortNumber in (susp_dst_ports)  or (DnsQuery contains 'pool' and DnsQuery contains 'xmr')
  | extend IPCustomEntity = SrcIpAddr  
name: Ubiquiti - Possible connection to cryptominning pool
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
severity: Medium
triggerThreshold: 0
tactics:
- CommandAndControl
queryPeriod: 1h
description: |
    'Detects connections which may indicate that device is infected with cryptominer.'
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7feb3c32-2a11-4eb8-a2d7-e3792b31cb80')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7feb3c32-2a11-4eb8-a2d7-e3792b31cb80')]",
      "properties": {
        "alertRuleTemplateName": "7feb3c32-2a11-4eb8-a2d7-e3792b31cb80",
        "customDetails": null,
        "description": "'Detects connections which may indicate that device is infected with cryptominer.'\n",
        "displayName": "Ubiquiti - Possible connection to cryptominning pool",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml",
        "query": "let susp_dst_ports = dynamic(['14433', '14444', '3333', '3334', '3335', '3336', '4444', '45560', '45700', '5555', '5556', '6666', '7777', '8788', '8888', '8899', '9999', '10034']);\nUbiquitiAuditEvent\n| where ipv4_is_private(SrcIpAddr)\n| where ipv4_is_private(DstIpAddr) == 'False'\n| where DstPortNumber in (susp_dst_ports)  or (DnsQuery contains 'pool' and DnsQuery contains 'xmr')\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071",
          "T1095",
          "T1571"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}