Digital Guardian - Sensitive data transfer over insecure channel

Back


Id	b52cda18-c1af-40e5-91f3-1fcbf9fa267e
Rulename	Digital Guardian - Sensitive data transfer over insecure channel
Description	Detects sensitive data transfer over insecure channel.
Severity	Medium
Tactics	Exfiltration
Techniques	T1048
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml
Version	1.0.2
Arm template	b52cda18-c1af-40e5-91f3-1fcbf9fa267e.json

KQL

DigitalGuardianDLPEvent
| where isnotempty(MatchedPolicies)
| where isnotempty(inspected_document)
| where NetworkApplicationProtocol =~ 'HTTP'
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr

YAML

status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml
query: |
  DigitalGuardianDLPEvent
  | where isnotempty(MatchedPolicies)
  | where isnotempty(inspected_document)
  | where NetworkApplicationProtocol =~ 'HTTP'
  | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr  
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
tactics:
- Exfiltration
name: Digital Guardian - Sensitive data transfer over insecure channel
relevantTechniques:
- T1048
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
kind: Scheduled
queryFrequency: 1h
description: |
    'Detects sensitive data transfer over insecure channel.'
triggerThreshold: 0
triggerOperator: gt
version: 1.0.2
queryPeriod: 1h
id: b52cda18-c1af-40e5-91f3-1fcbf9fa267e

ARM