Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Digital Guardian - Sensitive data transfer over insecure channel

Back
Idb52cda18-c1af-40e5-91f3-1fcbf9fa267e
RulenameDigital Guardian - Sensitive data transfer over insecure channel
DescriptionDetects sensitive data transfer over insecure channel.
SeverityMedium
TacticsExfiltration
TechniquesT1048
Required data connectorsDigitalGuardianDLP
SyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml
Version1.0.1
Arm templateb52cda18-c1af-40e5-91f3-1fcbf9fa267e.json
Deploy To Azure
DigitalGuardianDLPEvent
| where isnotempty(MatchedPolicies)
| where isnotempty(inspected_document)
| where NetworkApplicationProtocol =~ 'HTTP'
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
name: Digital Guardian - Sensitive data transfer over insecure channel
version: 1.0.1
severity: Medium
queryFrequency: 1h
triggerOperator: gt
relevantTechniques:
- T1048
status: Available
description: |
    'Detects sensitive data transfer over insecure channel.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
  dataTypes:
  - DigitalGuardianDLPEvent
- connectorId: SyslogAma
  datatypes:
  - Syslog
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
tactics:
- Exfiltration
queryPeriod: 1h
query: |
  DigitalGuardianDLPEvent
  | where isnotempty(MatchedPolicies)
  | where isnotempty(inspected_document)
  | where NetworkApplicationProtocol =~ 'HTTP'
  | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr  
kind: Scheduled
triggerThreshold: 0
id: b52cda18-c1af-40e5-91f3-1fcbf9fa267e
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b52cda18-c1af-40e5-91f3-1fcbf9fa267e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b52cda18-c1af-40e5-91f3-1fcbf9fa267e')]",
      "properties": {
        "alertRuleTemplateName": "b52cda18-c1af-40e5-91f3-1fcbf9fa267e",
        "customDetails": null,
        "description": "'Detects sensitive data transfer over insecure channel.'\n",
        "displayName": "Digital Guardian - Sensitive data transfer over insecure channel",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml",
        "query": "DigitalGuardianDLPEvent\n| where isnotempty(MatchedPolicies)\n| where isnotempty(inspected_document)\n| where NetworkApplicationProtocol =~ 'HTTP'\n| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1048"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}