Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Ubiquiti - Connection to known malicious IP or C2

Ubiquiti - Connection to known malicious IP or C2

Back
Iddb60ca0b-b668-439b-b889-b63b57ef20fb
RulenameUbiquiti - Connection to known malicious IP or C2
DescriptionDetects allowed connections to IP addresses which are in TI list and are known to be malicious.
SeverityMedium
TacticsExfiltration
CommandAndControl
TechniquesT1071
T1571
T1572
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml
Version1.0.2
Arm templatedb60ca0b-b668-439b-b889-b63b57ef20fb.json
Deploy To Azure
let malicious_ips =
ThreatIntelligenceIndicator
| where isnotempty(NetworkIP)
| summarize make_list(NetworkIP);
UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstIpAddr in (malicious_ips)
| where DvcAction =~ 'Accepted' or DvcAction =~ 'Other'
| extend IPCustomEntity = SrcIpAddr

queryPeriod: 14d
query: |
  let malicious_ips =
  ThreatIntelligenceIndicator
  | where isnotempty(NetworkIP)
  | summarize make_list(NetworkIP);
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where DstIpAddr in (malicious_ips)
  | where DvcAction =~ 'Accepted' or DvcAction =~ 'Other'
  | extend IPCustomEntity = SrcIpAddr  
name: Ubiquiti - Connection to known malicious IP or C2
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml
requiredDataConnectors:
- connectorId: CustomLogsAma
  dataTypes:
  - Ubiquiti_CL
description: |
    'Detects allowed connections to IP addresses which are in TI list and are known to be malicious.'
kind: Scheduled
version: 1.0.2
status: Available
severity: Medium
relevantTechniques:
- T1071
- T1571
- T1572
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
- CommandAndControl
id: db60ca0b-b668-439b-b889-b63b57ef20fb