Ubiquiti - Unusual FTP connection to external server
| Id | fd200125-9d57-4838-85ca-6430c63e4e5d |
| Rulename | Ubiquiti - Unusual FTP connection to external server |
| Description | Detects local to remote (L2R) FTP connections. |
| Severity | Medium |
| Tactics | Exfiltration CommandAndControl |
| Techniques | T1048 T1071.002 |
| Required data connectors | CustomLogsAma |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml |
| Version | 1.0.3 |
| Arm template | fd200125-9d57-4838-85ca-6430c63e4e5d.json |
let allowed_ftp = dynamic(['127.0.0.2']);
UbiquitiAuditEvent
| where EventCategory == 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstPortNumber in ('20', '21')
| where DstIpAddr !in (allowed_ftp)
| extend IPCustomEntity = SrcIpAddr
id: fd200125-9d57-4838-85ca-6430c63e4e5d
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml
entityMappings:
- fieldMappings:
- identifier: Address
columnName: IPCustomEntity
entityType: IP
requiredDataConnectors:
- dataTypes:
- Ubiquiti_CL
connectorId: CustomLogsAma
queryFrequency: 1h
queryPeriod: 1h
status: Available
query: |
let allowed_ftp = dynamic(['127.0.0.2']);
UbiquitiAuditEvent
| where EventCategory == 'firewall'
| where ipv4_is_private(SrcIpAddr)
| where ipv4_is_private(DstIpAddr) == 'False'
| where DstPortNumber in ('20', '21')
| where DstIpAddr !in (allowed_ftp)
| extend IPCustomEntity = SrcIpAddr
name: Ubiquiti - Unusual FTP connection to external server
kind: Scheduled
tactics:
- Exfiltration
- CommandAndControl
severity: Medium
relevantTechniques:
- T1048
- T1071.002
triggerThreshold: 0
version: 1.0.3
description: |
'Detects local to remote (L2R) FTP connections.'