Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Ubiquiti - Connection to known malicious IP or C2

Ubiquiti - Connection to known malicious IP or C2

Back
Iddb60ca0b-b668-439b-b889-b63b57ef20fb
RulenameUbiquiti - Connection to known malicious IP or C2
DescriptionDetects allowed connections to IP addresses which are in TI list and are known to be malicious.
SeverityMedium
TacticsExfiltration
CommandAndControl
TechniquesT1071
T1571
T1572
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml
Version1.0.2
Arm templatedb60ca0b-b668-439b-b889-b63b57ef20fb.json
Deploy To Azure
let malicious_ips =
ThreatIntelligenceIndicator
| where isnotempty(NetworkIP)
| summarize make_list(NetworkIP);
UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstIpAddr in (malicious_ips)
| where DvcAction =~ 'Accepted' or DvcAction =~ 'Other'
| extend IPCustomEntity = SrcIpAddr

status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml
query: |
  let malicious_ips =
  ThreatIntelligenceIndicator
  | where isnotempty(NetworkIP)
  | summarize make_list(NetworkIP);
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where DstIpAddr in (malicious_ips)
  | where DvcAction =~ 'Accepted' or DvcAction =~ 'Other'
  | extend IPCustomEntity = SrcIpAddr  
requiredDataConnectors:
- dataTypes:
  - Ubiquiti_CL
  connectorId: CustomLogsAma
tactics:
- Exfiltration
- CommandAndControl
name: Ubiquiti - Connection to known malicious IP or C2
relevantTechniques:
- T1071
- T1571
- T1572
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
kind: Scheduled
queryFrequency: 1h
description: |
    'Detects allowed connections to IP addresses which are in TI list and are known to be malicious.'
triggerThreshold: 0
triggerOperator: gt
version: 1.0.2
queryPeriod: 14d
id: db60ca0b-b668-439b-b889-b63b57ef20fb