Digital Guardian - Sensitive data transfer over insecure channel

Back


Id	b52cda18-c1af-40e5-91f3-1fcbf9fa267e
Rulename	Digital Guardian - Sensitive data transfer over insecure channel
Description	Detects sensitive data transfer over insecure channel.
Severity	Medium
Tactics	Exfiltration
Techniques	T1048
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml
Version	1.0.2
Arm template	b52cda18-c1af-40e5-91f3-1fcbf9fa267e.json

KQL

DigitalGuardianDLPEvent
| where isnotempty(MatchedPolicies)
| where isnotempty(inspected_document)
| where NetworkApplicationProtocol =~ 'HTTP'
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr

YAML

entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
triggerOperator: gt
tactics:
- Exfiltration
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Guardian Data Loss Prevention/Analytic Rules/DigitalGuardianClassifiedDataInsecureTransfer.yaml
version: 1.0.2
query: |
  DigitalGuardianDLPEvent
  | where isnotempty(MatchedPolicies)
  | where isnotempty(inspected_document)
  | where NetworkApplicationProtocol =~ 'HTTP'
  | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr  
triggerThreshold: 0
relevantTechniques:
- T1048
queryPeriod: 1h
status: Available
severity: Medium
kind: Scheduled
name: Digital Guardian - Sensitive data transfer over insecure channel
queryFrequency: 1h
id: b52cda18-c1af-40e5-91f3-1fcbf9fa267e
description: |
    'Detects sensitive data transfer over insecure channel.'
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma

ARM