Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Digital Guardian - Sensitive data transfer over insecure channel

Back
Idb52cda18-c1af-40e5-91f3-1fcbf9fa267e
RulenameDigital Guardian - Sensitive data transfer over insecure channel
DescriptionDetects sensitive data transfer over insecure channel.
SeverityMedium
TacticsExfiltration
TechniquesT1048
Required data connectorsDigitalGuardianDLP
SyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml
Version1.0.1
Arm templateb52cda18-c1af-40e5-91f3-1fcbf9fa267e.json
Deploy To Azure
DigitalGuardianDLPEvent
| where isnotempty(MatchedPolicies)
| where isnotempty(inspected_document)
| where NetworkApplicationProtocol =~ 'HTTP'
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
queryPeriod: 1h
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
  dataTypes:
  - DigitalGuardianDLPEvent
- connectorId: SyslogAma
  datatypes:
  - Syslog
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml
tactics:
- Exfiltration
triggerOperator: gt
severity: Medium
name: Digital Guardian - Sensitive data transfer over insecure channel
relevantTechniques:
- T1048
query: |
  DigitalGuardianDLPEvent
  | where isnotempty(MatchedPolicies)
  | where isnotempty(inspected_document)
  | where NetworkApplicationProtocol =~ 'HTTP'
  | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr  
queryFrequency: 1h
id: b52cda18-c1af-40e5-91f3-1fcbf9fa267e
status: Available
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
version: 1.0.1
description: |
    'Detects sensitive data transfer over insecure channel.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b52cda18-c1af-40e5-91f3-1fcbf9fa267e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b52cda18-c1af-40e5-91f3-1fcbf9fa267e')]",
      "properties": {
        "alertRuleTemplateName": "b52cda18-c1af-40e5-91f3-1fcbf9fa267e",
        "customDetails": null,
        "description": "'Detects sensitive data transfer over insecure channel.'\n",
        "displayName": "Digital Guardian - Sensitive data transfer over insecure channel",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml",
        "query": "DigitalGuardianDLPEvent\n| where isnotempty(MatchedPolicies)\n| where isnotempty(inspected_document)\n| where NetworkApplicationProtocol =~ 'HTTP'\n| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1048"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}