Ubiquiti - Unusual FTP connection to external server
| Id | fd200125-9d57-4838-85ca-6430c63e4e5d |
| Rulename | Ubiquiti - Unusual FTP connection to external server |
| Description | Detects local to remote (L2R) FTP connections. |
| Severity | Medium |
| Tactics | Exfiltration CommandAndControl |
| Techniques | T1048 T1071.002 |
| Required data connectors | CustomLogsAma |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml |
| Version | 1.0.3 |
| Arm template | fd200125-9d57-4838-85ca-6430c63e4e5d.json |
let allowed_ftp = dynamic(['127.0.0.2']);
UbiquitiAuditEvent
| where EventCategory == 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstPortNumber in ('20', '21')
| where DstIpAddr !in (allowed_ftp)
| extend IPCustomEntity = SrcIpAddr
name: Ubiquiti - Unusual FTP connection to external server
id: fd200125-9d57-4838-85ca-6430c63e4e5d
description: |
'Detects local to remote (L2R) FTP connections.'
triggerThreshold: 0
entityMappings:
- fieldMappings:
- columnName: IPCustomEntity
identifier: Address
entityType: IP
version: 1.0.3
triggerOperator: gt
query: |
let allowed_ftp = dynamic(['127.0.0.2']);
UbiquitiAuditEvent
| where EventCategory == 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstPortNumber in ('20', '21')
| where DstIpAddr !in (allowed_ftp)
| extend IPCustomEntity = SrcIpAddr
tactics:
- Exfiltration
- CommandAndControl
kind: Scheduled
queryFrequency: 1h
severity: Medium
queryPeriod: 1h
requiredDataConnectors:
- dataTypes:
- Ubiquiti_CL
connectorId: CustomLogsAma
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml
relevantTechniques:
- T1048
- T1071.002