Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Ubiquiti - RDP from external source

Ubiquiti - RDP from external source

Back
Id95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08
RulenameUbiquiti - RDP from external source
DescriptionDetects remote to local (R2L) RDP connection.
SeverityMedium
TacticsInitialAccess
TechniquesT1133
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LRDP.yaml
Version1.0.2
Arm template95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08.json
Deploy To Azure
UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr) == 'False'
| where ipv4_is_private(DstIpAddr)
| where DstPortNumber == '3389'
| extend IPCustomEntity = DstIpAddr

name: Ubiquiti - RDP from external source
query: |
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr) == 'False'
  | where ipv4_is_private(DstIpAddr)
  | where DstPortNumber == '3389'
  | extend IPCustomEntity = DstIpAddr  
queryFrequency: 1h
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - Ubiquiti_CL
  connectorId: CustomLogsAma
status: Available
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LRDP.yaml
description: |
    'Detects remote to local (R2L) RDP connection.'
version: 1.0.2
id: 95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08
kind: Scheduled
relevantTechniques:
- T1133
severity: Medium
tactics:
- InitialAccess
queryPeriod: 1h