Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Digital Guardian - Unexpected protocol

Back
Ida14f2f95-bbd2-4036-ad59-e3aff132b296
RulenameDigital Guardian - Unexpected protocol
DescriptionDetects RDP protocol usage for data transfer which is not common.
SeverityHigh
TacticsExfiltration
TechniquesT1048
Required data connectorsDigitalGuardianDLP
SyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianUnexpectedProtocol.yaml
Version1.0.1
Arm templatea14f2f95-bbd2-4036-ad59-e3aff132b296.json
Deploy To Azure
DigitalGuardianDLPEvent
| where DstPortNumber == 3389
| extend AccountCustomEntity = SrcUserName
kind: Scheduled
relevantTechniques:
- T1048
description: |
    'Detects RDP protocol usage for data transfer which is not common.'
queryPeriod: 1h
queryFrequency: 1h
tactics:
- Exfiltration
name: Digital Guardian - Unexpected protocol
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
  dataTypes:
  - DigitalGuardianDLPEvent
- connectorId: SyslogAma
  datatypes:
  - Syslog
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
triggerThreshold: 0
version: 1.0.1
id: a14f2f95-bbd2-4036-ad59-e3aff132b296
query: |
  DigitalGuardianDLPEvent
  | where DstPortNumber == 3389
  | extend AccountCustomEntity = SrcUserName  
status: Available
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianUnexpectedProtocol.yaml
severity: High
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a14f2f95-bbd2-4036-ad59-e3aff132b296')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a14f2f95-bbd2-4036-ad59-e3aff132b296')]",
      "properties": {
        "alertRuleTemplateName": "a14f2f95-bbd2-4036-ad59-e3aff132b296",
        "customDetails": null,
        "description": "'Detects RDP protocol usage for data transfer which is not common.'\n",
        "displayName": "Digital Guardian - Unexpected protocol",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianUnexpectedProtocol.yaml",
        "query": "DigitalGuardianDLPEvent\n| where DstPortNumber == 3389\n| extend AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1048"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}