Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ubiquiti - Connection to known malicious IP or C2

Back
Iddb60ca0b-b668-439b-b889-b63b57ef20fb
RulenameUbiquiti - Connection to known malicious IP or C2
DescriptionDetects allowed connections to IP addresses which are in TI list and are known to be malicious.
SeverityMedium
TacticsExfiltration
CommandAndControl
TechniquesT1071
T1571
T1572
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml
Version1.0.2
Arm templatedb60ca0b-b668-439b-b889-b63b57ef20fb.json
Deploy To Azure
let malicious_ips =
ThreatIntelligenceIndicator
| where isnotempty(NetworkIP)
| summarize make_list(NetworkIP);
UbiquitiAuditEvent
| where EventCategory =~ 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstIpAddr in (malicious_ips)
| where DvcAction =~ 'Accepted' or DvcAction =~ 'Other'
| extend IPCustomEntity = SrcIpAddr
query: |
  let malicious_ips =
  ThreatIntelligenceIndicator
  | where isnotempty(NetworkIP)
  | summarize make_list(NetworkIP);
  UbiquitiAuditEvent
  | where EventCategory =~ 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where DstIpAddr in (malicious_ips)
  | where DvcAction =~ 'Accepted' or DvcAction =~ 'Other'
  | extend IPCustomEntity = SrcIpAddr  
queryPeriod: 14d
queryFrequency: 1h
status: Available
id: db60ca0b-b668-439b-b889-b63b57ef20fb
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
relevantTechniques:
- T1071
- T1571
- T1572
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml
requiredDataConnectors:
- connectorId: CustomLogsAma
  dataTypes:
  - Ubiquiti_CL
name: Ubiquiti - Connection to known malicious IP or C2
description: |
    'Detects allowed connections to IP addresses which are in TI list and are known to be malicious.'
tactics:
- Exfiltration
- CommandAndControl
severity: Medium
triggerThreshold: 0
version: 1.0.2
kind: Scheduled
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/db60ca0b-b668-439b-b889-b63b57ef20fb')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/db60ca0b-b668-439b-b889-b63b57ef20fb')]",
      "properties": {
        "alertRuleTemplateName": "db60ca0b-b668-439b-b889-b63b57ef20fb",
        "customDetails": null,
        "description": "'Detects allowed connections to IP addresses which are in TI list and are known to be malicious.'\n",
        "displayName": "Ubiquiti - Connection to known malicious IP or C2",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml",
        "query": "let malicious_ips =\nThreatIntelligenceIndicator\n| where isnotempty(NetworkIP)\n| summarize make_list(NetworkIP);\nUbiquitiAuditEvent\n| where EventCategory =~ 'firewall'\n| where ipv4_is_private(SrcIpAddr)\n| where ipv4_is_private(DstIpAddr) == 'False'\n| where DstIpAddr in (malicious_ips)\n| where DvcAction =~ 'Accepted' or DvcAction =~ 'Other'\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration"
        ],
        "techniques": [
          "T1071",
          "T1571",
          "T1572"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}