Ubiquiti - Unusual FTP connection to external server

Back


Id	fd200125-9d57-4838-85ca-6430c63e4e5d
Rulename	Ubiquiti - Unusual FTP connection to external server
Description	Detects local to remote (L2R) FTP connections.
Severity	Medium
Tactics	Exfiltration
Required data connectors	UbiquitiUnifi
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml
Version	1.0.0
Arm template	fd200125-9d57-4838-85ca-6430c63e4e5d.json

KQL

let allowed_ftp = dynamic(['127.0.0.2']);
UbiquitiAuditEvent
| where EventCategory == 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstPortNumber in ('20', '21')
| where DstIpAddr !in (allowed_ftp)
| extend IPCustomEntity = SrcIpAddr

YAML

queryPeriod: 1h
version: 1.0.0
queryFrequency: 1h
kind: Scheduled
severity: Medium
name: Ubiquiti - Unusual FTP connection to external server
id: fd200125-9d57-4838-85ca-6430c63e4e5d
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml
query: |
  let allowed_ftp = dynamic(['127.0.0.2']);
  UbiquitiAuditEvent
  | where EventCategory == 'firewall'
  | where ipv4_is_private(SrcIpAddr)
  | where ipv4_is_private(DstIpAddr) == 'False'
  | where DstPortNumber in ('20', '21')
  | where DstIpAddr !in (allowed_ftp)
  | extend IPCustomEntity = SrcIpAddr  
tactics:
- Exfiltration
description: |
    'Detects local to remote (L2R) FTP connections.'
requiredDataConnectors:
- connectorId: UbiquitiUnifi
  dataTypes:
  - UbiquitiAuditEvent
status: Available
triggerThreshold: 0
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd200125-9d57-4838-85ca-6430c63e4e5d')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd200125-9d57-4838-85ca-6430c63e4e5d')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Ubiquiti - Unusual FTP connection to external server",
        "description": "'Detects local to remote (L2R) FTP connections.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let allowed_ftp = dynamic(['127.0.0.2']);\nUbiquitiAuditEvent\n| where EventCategory == 'firewall'\n| where ipv4_is_private(SrcIpAddr)\n| where ipv4_is_private(DstIpAddr) == 'False'\n| where DstPortNumber in ('20', '21')\n| where DstIpAddr !in (allowed_ftp)\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "alertRuleTemplateName": "fd200125-9d57-4838-85ca-6430c63e4e5d",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml",
        "status": "Available",
        "templateVersion": "1.0.0"
      }
    }
  ]
}