Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Ubiquiti - RDP from external source

Ubiquiti - RDP from external source

Back
Id95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08
RulenameUbiquiti - RDP from external source
DescriptionDetects remote to local (R2L) RDP connection.
SeverityMedium
TacticsInitialAccess
TechniquesT1133
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LRDP.yaml
Version1.0.2
Arm template95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08.json
Deploy To Azure
UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr) == 'False'
| where ipv4_is_private(DstIpAddr)
| where DstPortNumber == '3389'
| extend IPCustomEntity = DstIpAddr

relevantTechniques:
- T1133
queryFrequency: 1h
description: |
    'Detects remote to local (R2L) RDP connection.'
triggerThreshold: 0
id: 95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08
name: Ubiquiti - RDP from external source
queryPeriod: 1h
query: |
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr) == 'False'
  | where ipv4_is_private(DstIpAddr)
  | where DstPortNumber == '3389'
  | extend IPCustomEntity = DstIpAddr  
severity: Medium
triggerOperator: gt
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LRDP.yaml
requiredDataConnectors:
- connectorId: CustomLogsAma
  dataTypes:
  - Ubiquiti_CL
status: Available
version: 1.0.2
tactics:
- InitialAccess
kind: Scheduled