Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ubiquiti - Possible connection to cryptominning pool

Back
Id7feb3c32-2a11-4eb8-a2d7-e3792b31cb80
RulenameUbiquiti - Possible connection to cryptominning pool
DescriptionDetects connections which may indicate that device is infected with cryptominer.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
T1095
T1571
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml
Version1.0.2
Arm template7feb3c32-2a11-4eb8-a2d7-e3792b31cb80.json
Deploy To Azure
let susp_dst_ports = dynamic(['14433', '14444', '3333', '3334', '3335', '3336', '4444', '45560', '45700', '5555', '5556', '6666', '7777', '8788', '8888', '8899', '9999', '10034']);
UbiquitiAuditEvent
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstPortNumber in (susp_dst_ports)  or (DnsQuery contains 'pool' and DnsQuery contains 'xmr')
| extend IPCustomEntity = SrcIpAddr
triggerThreshold: 0
requiredDataConnectors:
- connectorId: CustomLogsAma
  dataTypes:
  - Ubiquiti_CL
severity: Medium
queryFrequency: 1h
id: 7feb3c32-2a11-4eb8-a2d7-e3792b31cb80
relevantTechniques:
- T1071
- T1095
- T1571
queryPeriod: 1h
name: Ubiquiti - Possible connection to cryptominning pool
status: Available
kind: Scheduled
tactics:
- CommandAndControl
triggerOperator: gt
version: 1.0.2
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
description: |
    'Detects connections which may indicate that device is infected with cryptominer.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml
query: |
  let susp_dst_ports = dynamic(['14433', '14444', '3333', '3334', '3335', '3336', '4444', '45560', '45700', '5555', '5556', '6666', '7777', '8788', '8888', '8899', '9999', '10034']);
  UbiquitiAuditEvent
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where DstPortNumber in (susp_dst_ports)  or (DnsQuery contains 'pool' and DnsQuery contains 'xmr')
  | extend IPCustomEntity = SrcIpAddr  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7feb3c32-2a11-4eb8-a2d7-e3792b31cb80')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7feb3c32-2a11-4eb8-a2d7-e3792b31cb80')]",
      "properties": {
        "alertRuleTemplateName": "7feb3c32-2a11-4eb8-a2d7-e3792b31cb80",
        "customDetails": null,
        "description": "'Detects connections which may indicate that device is infected with cryptominer.'\n",
        "displayName": "Ubiquiti - Possible connection to cryptominning pool",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml",
        "query": "let susp_dst_ports = dynamic(['14433', '14444', '3333', '3334', '3335', '3336', '4444', '45560', '45700', '5555', '5556', '6666', '7777', '8788', '8888', '8899', '9999', '10034']);\nUbiquitiAuditEvent\n| where ipv4_is_private(SrcIpAddr)\n| where ipv4_is_private(DstIpAddr) == 'False'\n| where DstPortNumber in (susp_dst_ports)  or (DnsQuery contains 'pool' and DnsQuery contains 'xmr')\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071",
          "T1095",
          "T1571"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}