Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Zero Networks Segment - Rare JIT Rule Creation

RulenameZero Networks Segment - Rare JIT Rule Creation
DescriptionIdentifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days.

JIT Rule creations are indicated by the Activity Type Id 20
Required data connectorsZeroNetworksSegmentAuditFunction
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Uri Rules/ZNSegmentRareJITRuleCreation.yaml
Arm template58688058-68b2-4b39-8009-ac6dc4d81ea1.json
Deploy To Azure
let starttime = 14d;
let endtime = 1d;
| where TimeGenerated >= ago(endtime)
| where AuditTypeId == 20
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()
by PerformedByName, tostring(DestinationEntityName)
  // use left anti to exclude anything from the previous 14 days that is not rare
| join kind=leftanti (
| where TimeGenerated between (ago(starttime) .. ago(endtime))
| where AuditTypeId == 20
| summarize by tostring(DestinationEntityName)
) on DestinationEntityName
| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)
by PerformedByName, DestinationEntityName
| extend TimeGenerated = StartTime
- T1021
queryPeriod: 14d
- LateralMovement
- dataTypes:
  - ZNSegmentAudit_CL
  connectorId: ZeroNetworksSegmentAuditFunction
- dataTypes:
  - ZNSegmentAuditNativePoller_CL
  connectorId: ZeroNetworksSegmentAuditNativePoller
triggerThreshold: 0
- fieldMappings:
  - identifier: Name
    columnName: PerformedByName
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: DestinationEntityName
  entityType: Host
name: Zero Networks Segment - Rare JIT Rule Creation
status: Available
query: |
  let starttime = 14d;
  let endtime = 1d;
  | where TimeGenerated >= ago(endtime)
  | where AuditTypeId == 20
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()
  by PerformedByName, tostring(DestinationEntityName)
    // use left anti to exclude anything from the previous 14 days that is not rare
  | join kind=leftanti (
  | where TimeGenerated between (ago(starttime) .. ago(endtime))
  | where AuditTypeId == 20
  | summarize by tostring(DestinationEntityName)
  ) on DestinationEntityName
  | summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)
  by PerformedByName, DestinationEntityName
  | extend TimeGenerated = StartTime  
queryFrequency: 1d
id: 58688058-68b2-4b39-8009-ac6dc4d81ea1
severity: Medium
description: |
  'Identifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days.
  JIT Rule creations are indicated by the Activity Type Id 20'  
version: 1.0.2
OriginalUri: Rules/ZNSegmentRareJITRuleCreation.yaml
kind: Scheduled
triggerOperator: gt
  "$schema": "",
  "contentVersion": "",
  "parameters": {
    "workspace": {
      "type": "String"
  "resources": [
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/58688058-68b2-4b39-8009-ac6dc4d81ea1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/58688058-68b2-4b39-8009-ac6dc4d81ea1')]",
      "properties": {
        "alertRuleTemplateName": "58688058-68b2-4b39-8009-ac6dc4d81ea1",
        "customDetails": null,
        "description": "'Identifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days.\nJIT Rule creations are indicated by the Activity Type Id 20'\n",
        "displayName": "Zero Networks Segment - Rare JIT Rule Creation",
        "enabled": true,
        "entityMappings": [
            "entityType": "Account",
            "fieldMappings": [
                "columnName": "PerformedByName",
                "identifier": "Name"
            "entityType": "Host",
            "fieldMappings": [
                "columnName": "DestinationEntityName",
                "identifier": "HostName"
        "OriginalUri": " Rules/ZNSegmentRareJITRuleCreation.yaml",
        "query": "let starttime = 14d;\nlet endtime = 1d;\nZNSegmentAudit\n| where TimeGenerated >= ago(endtime)\n| where AuditTypeId == 20\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\nby PerformedByName, tostring(DestinationEntityName)\n  // use left anti to exclude anything from the previous 14 days that is not rare\n| join kind=leftanti (\nZNSegmentAudit\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where AuditTypeId == 20\n| summarize by tostring(DestinationEntityName)\n) on DestinationEntityName\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\nby PerformedByName, DestinationEntityName\n| extend TimeGenerated = StartTime\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
        "techniques": [
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"