Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ubiquiti - Connection to known malicious IP or C2

Back
Iddb60ca0b-b668-439b-b889-b63b57ef20fb
RulenameUbiquiti - Connection to known malicious IP or C2
DescriptionDetects allowed connections to IP addresses which are in TI list and are known to be malicious.
SeverityMedium
TacticsExfiltration
CommandAndControl
TechniquesT1071
T1571
T1572
Required data connectorsCustomLogsAma
UbiquitiUnifi
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml
Version1.0.1
Arm templatedb60ca0b-b668-439b-b889-b63b57ef20fb.json
Deploy To Azure
let malicious_ips =
ThreatIntelligenceIndicator
| where isnotempty(NetworkIP)
| summarize make_list(NetworkIP);
UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstIpAddr in (malicious_ips)
| where DvcAction =~ 'Accepted' or DvcAction =~ 'Other'
| extend IPCustomEntity = SrcIpAddr
version: 1.0.1
severity: Medium
queryFrequency: 1h
triggerOperator: gt
relevantTechniques:
- T1071
- T1571
- T1572
status: Available
kind: Scheduled
triggerThreshold: 0
query: |
  let malicious_ips =
  ThreatIntelligenceIndicator
  | where isnotempty(NetworkIP)
  | summarize make_list(NetworkIP);
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where DstIpAddr in (malicious_ips)
  | where DvcAction =~ 'Accepted' or DvcAction =~ 'Other'
  | extend IPCustomEntity = SrcIpAddr  
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
name: Ubiquiti - Connection to known malicious IP or C2
queryPeriod: 14d
description: |
    'Detects allowed connections to IP addresses which are in TI list and are known to be malicious.'
requiredDataConnectors:
- dataTypes:
  - UbiquitiAuditEvent
  connectorId: UbiquitiUnifi
- dataTypes:
  - Ubiquiti_CL
  connectorId: CustomLogsAma
id: db60ca0b-b668-439b-b889-b63b57ef20fb
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml
tactics:
- Exfiltration
- CommandAndControl
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/db60ca0b-b668-439b-b889-b63b57ef20fb')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/db60ca0b-b668-439b-b889-b63b57ef20fb')]",
      "properties": {
        "alertRuleTemplateName": "db60ca0b-b668-439b-b889-b63b57ef20fb",
        "customDetails": null,
        "description": "'Detects allowed connections to IP addresses which are in TI list and are known to be malicious.'\n",
        "displayName": "Ubiquiti - Connection to known malicious IP or C2",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml",
        "query": "let malicious_ips =\nThreatIntelligenceIndicator\n| where isnotempty(NetworkIP)\n| summarize make_list(NetworkIP);\nUbiquitiAuditEvent\n| where EventCategory =~ 'firewall'\n| where ipv4_is_private(SrcIpAddr)\n| where ipv4_is_private(DstIpAddr) == 'False'\n| where DstIpAddr in (malicious_ips)\n| where DvcAction =~ 'Accepted' or DvcAction =~ 'Other'\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration"
        ],
        "techniques": [
          "T1071",
          "T1571",
          "T1572"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}