detection.wiki

Detection rules › Kusto

SFTP File transfer folder count above threshold

Severity
medium
Time window
15m
Group by
Computer, src_ip, username
Source
github.com/Azure/Azure-Sentinel

'Identifies SFTP File Transfers with distinct folder count above certain threshold in a 15min time period. It requires SFTP VERBOSE loglevel to be enabled. Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.'

MITRE ATT&CK coverage

TacticTechniques
ExfiltrationT1020 Automated Exfiltration

Rule body kusto

id: 7355434e-09d5-4401-b56d-e03e9379dfb1
name: SFTP File transfer folder count above threshold
description: |
  'Identifies SFTP File Transfers with distinct folder count above certain threshold in a 15min time period.
   It requires SFTP VERBOSE loglevel to be enabled.
   Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.'
severity: Medium
requiredDataConnectors:
  - connectorId: Syslog
    dataTypes:
      - Syslog
  - connectorId: SyslogAma
    dataTypes: 
      - Syslog
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Exfiltration
relevantTechniques:
  - T1020
query: |
  let threshold = 10;
  Syslog
  | where ProcessName has "sftp"
      and SyslogMessage has "close "
      and SyslogMessage has " bytes read "
  | parse SyslogMessage with "close \"" filepath "\" bytes read " readbytes: int " written " writtenbytes: int
  | parse kind=regex filepath with dirpath:string "/" filename:string
  | join kind=leftouter (
      Syslog
      | where ProcessName has "sftp" and SyslogMessage has "session opened for"
      | parse SyslogMessage with "session opened for local user " username: string " from [" src_ip "]"
      | project username, src_ip, ProcessID
      )
      on ProcessID
  | project-away ProcessID1
  | summarize count_distinct_dirpath=dcount(dirpath), dirlist=make_set(dirpath) by Computer, username, src_ip, bin(TimeGenerated, 15m)
  | where count_distinct_dirpath >= threshold
  | extend DirSample = iff(array_length(dirlist) == 1, tostring(dirlist[0]), strcat("SeeDirListField","_", tostring(hash(tostring(dirlist)))))
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: username
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: src_ip
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: Computer
  - entityType: File
    fieldMappings:
      - identifier: Name
        columnName: DirSample
customDetails:
  TransferCount: count_distinct_dirpath
  FilesList: dirlist
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 5h
    matchingMethod: Selected
    groupByEntities:
    - Account
    - Host
    groupByAlertDetails: []
    groupByCustomDetails: []
version: 1.0.2
kind: Scheduled

Stages and Predicates

Parameters

let threshold = 10;

Stage 1: source

Syslog

Stage 2: where

| where ProcessName has "sftp"
    and SyslogMessage has "close "
    and SyslogMessage has " bytes read "

Stage 3: parse

| parse SyslogMessage with "close \"" filepath "\" bytes read " readbytes: int " written " writtenbytes: int

Stage 4: parse

| parse kind=regex filepath with dirpath:string "/" filename:string

Stage 5: join

| join kind=leftouter (
    Syslog
    | where ProcessName has "sftp" and SyslogMessage has "session opened for"
    | parse SyslogMessage with "session opened for local user " username: string " from [" src_ip "]"
    | project username, src_ip, ProcessID
    )
    on ProcessID

Stage 6: project-away

| project-away ProcessID1

Stage 7: summarize

| summarize count_distinct_dirpath=dcount(dirpath), dirlist=make_set(dirpath) by Computer, username, src_ip, bin(TimeGenerated, 15m)
Threshold
ge 10

Stage 8: where

| where count_distinct_dirpath >= threshold

Stage 9: extend

| extend DirSample = iff(array_length(dirlist) == 1, tostring(dirlist[0]), strcat("SeeDirListField","_", tostring(hash(tostring(dirlist)))))
DirSample =
ifdirlist == 1tostring(dirlist[0])
elsestrcat("SeeDirListField", "_", tostring(hash(tostring(dirlist))))

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
ProcessNamematch
  • sftp transforms: term
SyslogMessagematch
  • bytes read transforms: term
  • close transforms: term
  • session opened for transforms: term
count_distinct_dirpathge
  • 10 transforms: cased

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
Computersummarize
count_distinct_dirpathsummarize
dirlistsummarize
src_ipsummarize
usernamesummarize
DirSampleextend