Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ubiquiti - Connection to known malicious IP or C2

Back
Iddb60ca0b-b668-439b-b889-b63b57ef20fb
RulenameUbiquiti - Connection to known malicious IP or C2
DescriptionDetects allowed connections to IP addresses which are in TI list and are known to be malicious.
SeverityMedium
TacticsExfiltration
CommandAndControl
TechniquesT1071
T1571
T1572
Required data connectorsUbiquitiUnifi
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml
Version1.0.0
Arm templatedb60ca0b-b668-439b-b889-b63b57ef20fb.json
Deploy To Azure
let malicious_ips =
ThreatIntelligenceIndicator
| where isnotempty(NetworkIP)
| summarize make_list(NetworkIP);
UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstIpAddr in (malicious_ips)
| where DvcAction =~ 'Accepted' or DvcAction =~ 'Other'
| extend IPCustomEntity = SrcIpAddr
name: Ubiquiti - Connection to known malicious IP or C2
status: Available
triggerThreshold: 0
severity: Medium
tactics:
- Exfiltration
- CommandAndControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
queryPeriod: 14d
queryFrequency: 1h
version: 1.0.0
triggerOperator: gt
description: |
    'Detects allowed connections to IP addresses which are in TI list and are known to be malicious.'
query: |
  let malicious_ips =
  ThreatIntelligenceIndicator
  | where isnotempty(NetworkIP)
  | summarize make_list(NetworkIP);
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where DstIpAddr in (malicious_ips)
  | where DvcAction =~ 'Accepted' or DvcAction =~ 'Other'
  | extend IPCustomEntity = SrcIpAddr  
relevantTechniques:
- T1071
- T1571
- T1572
id: db60ca0b-b668-439b-b889-b63b57ef20fb
requiredDataConnectors:
- dataTypes:
  - UbiquitiAuditEvent
  connectorId: UbiquitiUnifi
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/db60ca0b-b668-439b-b889-b63b57ef20fb')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/db60ca0b-b668-439b-b889-b63b57ef20fb')]",
      "properties": {
        "alertRuleTemplateName": "db60ca0b-b668-439b-b889-b63b57ef20fb",
        "customDetails": null,
        "description": "'Detects allowed connections to IP addresses which are in TI list and are known to be malicious.'\n",
        "displayName": "Ubiquiti - Connection to known malicious IP or C2",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml",
        "query": "let malicious_ips =\nThreatIntelligenceIndicator\n| where isnotempty(NetworkIP)\n| summarize make_list(NetworkIP);\nUbiquitiAuditEvent\n| where EventCategory =~ 'firewall'\n| where ipv4_is_private(SrcIpAddr)\n| where ipv4_is_private(DstIpAddr) == 'False'\n| where DstIpAddr in (malicious_ips)\n| where DvcAction =~ 'Accepted' or DvcAction =~ 'Other'\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration"
        ],
        "techniques": [
          "T1071",
          "T1571",
          "T1572"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}