Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Zero Networks Segment - Rare JIT Rule Creation

Zero Networks Segment - Rare JIT Rule Creation

Back
Id58688058-68b2-4b39-8009-ac6dc4d81ea1
RulenameZero Networks Segment - Rare JIT Rule Creation
DescriptionIdentifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days.

JIT Rule creations are indicated by the Activity Type Id 20
SeverityMedium
TacticsLateralMovement
TechniquesT1021
Required data connectorsZeroNetworksSegmentAuditFunction
ZeroNetworksSegmentAuditNativePoller
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ZeroNetworks/Analytic Rules/ZNSegmentRareJITRuleCreation.yaml
Version1.0.2
Arm template58688058-68b2-4b39-8009-ac6dc4d81ea1.json
Deploy To Azure
let starttime = 14d;
let endtime = 1d;
ZNSegmentAudit
| where TimeGenerated >= ago(endtime)
| where AuditTypeId == 20
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()
by PerformedByName, tostring(DestinationEntityName)
  // use left anti to exclude anything from the previous 14 days that is not rare
| join kind=leftanti (
ZNSegmentAudit
| where TimeGenerated between (ago(starttime) .. ago(endtime))
| where AuditTypeId == 20
| summarize by tostring(DestinationEntityName)
) on DestinationEntityName
| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)
by PerformedByName, DestinationEntityName
| extend TimeGenerated = StartTime

relevantTechniques:
- T1021
queryFrequency: 1d
description: |
  'Identifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days.
  JIT Rule creations are indicated by the Activity Type Id 20'  
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: PerformedByName
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: DestinationEntityName
  entityType: Host
triggerThreshold: 0
tactics:
- LateralMovement
requiredDataConnectors:
- dataTypes:
  - ZNSegmentAudit_CL
  connectorId: ZeroNetworksSegmentAuditFunction
- dataTypes:
  - ZNSegmentAuditNativePoller_CL
  connectorId: ZeroNetworksSegmentAuditNativePoller
queryPeriod: 14d
id: 58688058-68b2-4b39-8009-ac6dc4d81ea1
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ZeroNetworks/Analytic Rules/ZNSegmentRareJITRuleCreation.yaml
query: |
  let starttime = 14d;
  let endtime = 1d;
  ZNSegmentAudit
  | where TimeGenerated >= ago(endtime)
  | where AuditTypeId == 20
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()
  by PerformedByName, tostring(DestinationEntityName)
    // use left anti to exclude anything from the previous 14 days that is not rare
  | join kind=leftanti (
  ZNSegmentAudit
  | where TimeGenerated between (ago(starttime) .. ago(endtime))
  | where AuditTypeId == 20
  | summarize by tostring(DestinationEntityName)
  ) on DestinationEntityName
  | summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)
  by PerformedByName, DestinationEntityName
  | extend TimeGenerated = StartTime  
name: Zero Networks Segment - Rare JIT Rule Creation
version: 1.0.2
kind: Scheduled
status: Available