Ubiquiti - RDP from external source

Back


Id	95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08
Rulename	Ubiquiti - RDP from external source
Description	Detects remote to local (R2L) RDP connection.
Severity	Medium
Tactics	InitialAccess
Techniques	T1133
Required data connectors	CustomLogsAma UbiquitiUnifi
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LRDP.yaml
Version	1.0.1
Arm template	95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08.json

KQL

UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr) == 'False'
| where ipv4_is_private(DstIpAddr)
| where DstPortNumber == '3389'
| extend IPCustomEntity = DstIpAddr

YAML

relevantTechniques:
- T1133
name: Ubiquiti - RDP from external source
requiredDataConnectors:
- dataTypes:
  - UbiquitiAuditEvent
  connectorId: UbiquitiUnifi
- dataTypes:
  - Ubiquiti_CL
  connectorId: CustomLogsAma
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
triggerThreshold: 0
id: 95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08
tactics:
- InitialAccess
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LRDP.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: Medium
status: Available
description: |
    'Detects remote to local (R2L) RDP connection.'
query: |
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr) == 'False'
  | where ipv4_is_private(DstIpAddr)
  | where DstPortNumber == '3389'
  | extend IPCustomEntity = DstIpAddr  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08')]",
      "properties": {
        "alertRuleTemplateName": "95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08",
        "customDetails": null,
        "description": "'Detects remote to local (R2L) RDP connection.'\n",
        "displayName": "Ubiquiti - RDP from external source",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LRDP.yaml",
        "query": "UbiquitiAuditEvent\n| where EventCategory =~ 'firewall'\n| where ipv4_is_private(SrcIpAddr) == 'False'\n| where ipv4_is_private(DstIpAddr)\n| where DstPortNumber == '3389'\n| extend IPCustomEntity = DstIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}