Digital Guardian - Sensitive data transfer over insecure channel

Back


Id	b52cda18-c1af-40e5-91f3-1fcbf9fa267e
Rulename	Digital Guardian - Sensitive data transfer over insecure channel
Description	Detects sensitive data transfer over insecure channel.
Severity	Medium
Tactics	Exfiltration
Techniques	T1048
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml
Version	1.0.2
Arm template	b52cda18-c1af-40e5-91f3-1fcbf9fa267e.json

KQL

DigitalGuardianDLPEvent
| where isnotempty(MatchedPolicies)
| where isnotempty(inspected_document)
| where NetworkApplicationProtocol =~ 'HTTP'
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr

YAML

name: Digital Guardian - Sensitive data transfer over insecure channel
id: b52cda18-c1af-40e5-91f3-1fcbf9fa267e
description: |
    'Detects sensitive data transfer over insecure channel.'
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
version: 1.0.2
triggerOperator: gt
query: |
  DigitalGuardianDLPEvent
  | where isnotempty(MatchedPolicies)
  | where isnotempty(inspected_document)
  | where NetworkApplicationProtocol =~ 'HTTP'
  | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr  
tactics:
- Exfiltration
kind: Scheduled
queryFrequency: 1h
severity: Medium
queryPeriod: 1h
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml
relevantTechniques:
- T1048

ARM