Digital Guardian - Sensitive data transfer over insecure channel

Back


Id	b52cda18-c1af-40e5-91f3-1fcbf9fa267e
Rulename	Digital Guardian - Sensitive data transfer over insecure channel
Description	Detects sensitive data transfer over insecure channel.
Severity	Medium
Tactics	Exfiltration
Techniques	T1048
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml
Version	1.0.2
Arm template	b52cda18-c1af-40e5-91f3-1fcbf9fa267e.json

KQL

DigitalGuardianDLPEvent
| where isnotempty(MatchedPolicies)
| where isnotempty(inspected_document)
| where NetworkApplicationProtocol =~ 'HTTP'
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr

YAML

version: 1.0.2
kind: Scheduled
relevantTechniques:
- T1048
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
name: Digital Guardian - Sensitive data transfer over insecure channel
id: b52cda18-c1af-40e5-91f3-1fcbf9fa267e
status: Available
triggerOperator: gt
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
tactics:
- Exfiltration
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml
queryFrequency: 1h
query: |
  DigitalGuardianDLPEvent
  | where isnotempty(MatchedPolicies)
  | where isnotempty(inspected_document)
  | where NetworkApplicationProtocol =~ 'HTTP'
  | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr  
queryPeriod: 1h
severity: Medium
triggerThreshold: 0
description: |
    'Detects sensitive data transfer over insecure channel.'

ARM