Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ubiquiti - Unusual FTP connection to external server

Back
Idfd200125-9d57-4838-85ca-6430c63e4e5d
RulenameUbiquiti - Unusual FTP connection to external server
DescriptionDetects local to remote (L2R) FTP connections.
SeverityMedium
TacticsExfiltration
CommandAndControl
TechniquesT1048
T1071.002
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml
Version1.0.3
Arm templatefd200125-9d57-4838-85ca-6430c63e4e5d.json
Deploy To Azure
let allowed_ftp = dynamic(['127.0.0.2']);
UbiquitiAuditEvent
| where EventCategory == 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstPortNumber in ('20', '21')
| where DstIpAddr !in (allowed_ftp)
| extend IPCustomEntity = SrcIpAddr
description: |
    'Detects local to remote (L2R) FTP connections.'
queryFrequency: 1h
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
queryPeriod: 1h
query: |
  let allowed_ftp = dynamic(['127.0.0.2']);
  UbiquitiAuditEvent
  | where EventCategory == 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where DstPortNumber in ('20', '21')
  | where DstIpAddr !in (allowed_ftp)
  | extend IPCustomEntity = SrcIpAddr  
status: Available
id: fd200125-9d57-4838-85ca-6430c63e4e5d
name: Ubiquiti - Unusual FTP connection to external server
kind: Scheduled
version: 1.0.3
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml
triggerThreshold: 0
triggerOperator: gt
tactics:
- Exfiltration
- CommandAndControl
relevantTechniques:
- T1048
- T1071.002
requiredDataConnectors:
- connectorId: CustomLogsAma
  dataTypes:
  - Ubiquiti_CL
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd200125-9d57-4838-85ca-6430c63e4e5d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd200125-9d57-4838-85ca-6430c63e4e5d')]",
      "properties": {
        "alertRuleTemplateName": "fd200125-9d57-4838-85ca-6430c63e4e5d",
        "customDetails": null,
        "description": "'Detects local to remote (L2R) FTP connections.'\n",
        "displayName": "Ubiquiti - Unusual FTP connection to external server",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml",
        "query": "let allowed_ftp = dynamic(['127.0.0.2']);\nUbiquitiAuditEvent\n| where EventCategory == 'firewall'\n| where ipv4_is_private(SrcIpAddr)\n| where ipv4_is_private(DstIpAddr) == 'False'\n| where DstPortNumber in ('20', '21')\n| where DstIpAddr !in (allowed_ftp)\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [
          "T1071.002"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Exfiltration"
        ],
        "techniques": [
          "T1048",
          "T1071"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}