Digital Guardian - Unexpected protocol

Back


Id	a14f2f95-bbd2-4036-ad59-e3aff132b296
Rulename	Digital Guardian - Unexpected protocol
Description	Detects RDP protocol usage for data transfer which is not common.
Severity	High
Tactics	Exfiltration
Techniques	T1048
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianUnexpectedProtocol.yaml
Version	1.0.2
Arm template	a14f2f95-bbd2-4036-ad59-e3aff132b296.json

KQL

DigitalGuardianDLPEvent
| where DstPortNumber == 3389
| extend AccountCustomEntity = SrcUserName

YAML

id: a14f2f95-bbd2-4036-ad59-e3aff132b296
tactics:
- Exfiltration
queryPeriod: 1h
triggerThreshold: 0
name: Digital Guardian - Unexpected protocol
query: |
  DigitalGuardianDLPEvent
  | where DstPortNumber == 3389
  | extend AccountCustomEntity = SrcUserName  
severity: High
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1048
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianUnexpectedProtocol.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
description: |
    'Detects RDP protocol usage for data transfer which is not common.'
status: Available
version: 1.0.2
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a14f2f95-bbd2-4036-ad59-e3aff132b296')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a14f2f95-bbd2-4036-ad59-e3aff132b296')]",
      "properties": {
        "alertRuleTemplateName": "a14f2f95-bbd2-4036-ad59-e3aff132b296",
        "customDetails": null,
        "description": "'Detects RDP protocol usage for data transfer which is not common.'\n",
        "displayName": "Digital Guardian - Unexpected protocol",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianUnexpectedProtocol.yaml",
        "query": "DigitalGuardianDLPEvent\n| where DstPortNumber == 3389\n| extend AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1048"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}