Digital Guardian - Sensitive data transfer over insecure channel

Back


Id	b52cda18-c1af-40e5-91f3-1fcbf9fa267e
Rulename	Digital Guardian - Sensitive data transfer over insecure channel
Description	Detects sensitive data transfer over insecure channel.
Severity	Medium
Tactics	Exfiltration
Techniques	T1048
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml
Version	1.0.2
Arm template	b52cda18-c1af-40e5-91f3-1fcbf9fa267e.json

KQL

DigitalGuardianDLPEvent
| where isnotempty(MatchedPolicies)
| where isnotempty(inspected_document)
| where NetworkApplicationProtocol =~ 'HTTP'
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr

YAML

name: Digital Guardian - Sensitive data transfer over insecure channel
kind: Scheduled
tactics:
- Exfiltration
triggerThreshold: 0
triggerOperator: gt
version: 1.0.2
status: Available
queryFrequency: 1h
id: b52cda18-c1af-40e5-91f3-1fcbf9fa267e
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
relevantTechniques:
- T1048
description: |
    'Detects sensitive data transfer over insecure channel.'
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml
queryPeriod: 1h
severity: Medium
query: |
  DigitalGuardianDLPEvent
  | where isnotempty(MatchedPolicies)
  | where isnotempty(inspected_document)
  | where NetworkApplicationProtocol =~ 'HTTP'
  | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr

ARM