Ubiquiti - Unusual FTP connection to external server

Back


Id	fd200125-9d57-4838-85ca-6430c63e4e5d
Rulename	Ubiquiti - Unusual FTP connection to external server
Description	Detects local to remote (L2R) FTP connections.
Severity	Medium
Tactics	Exfiltration
Required data connectors	UbiquitiUnifi
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml
Version	1.0.0
Arm template	fd200125-9d57-4838-85ca-6430c63e4e5d.json

KQL

let allowed_ftp = dynamic(['127.0.0.2']);
UbiquitiAuditEvent
| where EventCategory == 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstPortNumber in ('20', '21')
| where DstIpAddr !in (allowed_ftp)
| extend IPCustomEntity = SrcIpAddr

YAML

requiredDataConnectors:
- connectorId: UbiquitiUnifi
  dataTypes:
  - UbiquitiAuditEvent
triggerOperator: gt
version: 1.0.0
status: Available
queryPeriod: 1h
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml
tactics:
- Exfiltration
kind: Scheduled
queryFrequency: 1h
description: |
    'Detects local to remote (L2R) FTP connections.'
query: |
  let allowed_ftp = dynamic(['127.0.0.2']);
  UbiquitiAuditEvent
  | where EventCategory == 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where DstPortNumber in ('20', '21')
  | where DstIpAddr !in (allowed_ftp)
  | extend IPCustomEntity = SrcIpAddr  
id: fd200125-9d57-4838-85ca-6430c63e4e5d
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
name: Ubiquiti - Unusual FTP connection to external server

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd200125-9d57-4838-85ca-6430c63e4e5d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd200125-9d57-4838-85ca-6430c63e4e5d')]",
      "properties": {
        "alertRuleTemplateName": "fd200125-9d57-4838-85ca-6430c63e4e5d",
        "customDetails": null,
        "description": "'Detects local to remote (L2R) FTP connections.'\n",
        "displayName": "Ubiquiti - Unusual FTP connection to external server",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml",
        "query": "let allowed_ftp = dynamic(['127.0.0.2']);\nUbiquitiAuditEvent\n| where EventCategory == 'firewall'\n| where ipv4_is_private(SrcIpAddr)\n| where ipv4_is_private(DstIpAddr) == 'False'\n| where DstPortNumber in ('20', '21')\n| where DstIpAddr !in (allowed_ftp)\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}