IDP Alert

Back


Id	c982bcc1-ef73-485b-80d5-2a637ce4ab2b
Rulename	IDP Alert
Description	This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.
Severity	Medium
Tactics	DefenseEvasion Impact
Techniques	T1578 T1531
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml
Version	1.0.0
Arm template	c982bcc1-ef73-485b-80d5-2a637ce4ab2b.json

KQL

SecurityIncident
| where Title has "Cvlt Alert" and Description == "IDP Compromised" and Status has "New"

YAML

severity: Medium
relevantTechniques:
- T1578
- T1531
queryFrequency: 5m
kind: Scheduled
version: 1.0.0
name: IDP Alert
triggerOperator: gt
description: |
    'This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.'
queryPeriod: 5m
query: |
  SecurityIncident
  | where Title has "Cvlt Alert" and Description == "IDP Compromised" and Status has "New"  
entityMappings: 
tactics:
- DefenseEvasion
- Impact
status: Available
triggerThreshold: 0
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml
id: c982bcc1-ef73-485b-80d5-2a637ce4ab2b
requiredDataConnectors: []

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c982bcc1-ef73-485b-80d5-2a637ce4ab2b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c982bcc1-ef73-485b-80d5-2a637ce4ab2b')]",
      "properties": {
        "alertRuleTemplateName": "c982bcc1-ef73-485b-80d5-2a637ce4ab2b",
        "customDetails": null,
        "description": "'This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.'\n",
        "displayName": "IDP Alert",
        "enabled": true,
        "entityMappings": null,
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml",
        "query": "SecurityIncident\n| where Title has \"Cvlt Alert\" and Description == \"IDP Compromised\" and Status has \"New\"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "tags": [
          "Commvault",
          "Metallic",
          "Threat Intelligence",
          "Ransomware"
        ],
        "techniques": [
          "T1531",
          "T1578"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}