IDP Alert

Back


Id	c982bcc1-ef73-485b-80d5-2a637ce4ab2b
Rulename	IDP Alert
Description	This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.
Severity	Medium
Tactics	DefenseEvasion Impact
Techniques	T1578 T1531
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml
Version	1.0.0
Arm template	c982bcc1-ef73-485b-80d5-2a637ce4ab2b.json

KQL

SecurityIncident
| where Title has "Cvlt Alert" and Description == "IDP Compromised" and Status has "New"

YAML

triggerOperator: gt
queryFrequency: 5m
description: |
    'This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.'
status: Available
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors: []
version: 1.0.0
queryPeriod: 5m
name: IDP Alert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml
id: c982bcc1-ef73-485b-80d5-2a637ce4ab2b
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
tactics:
- DefenseEvasion
- Impact
relevantTechniques:
- T1578
- T1531
severity: Medium
entityMappings: 
query: |
  SecurityIncident
  | where Title has "Cvlt Alert" and Description == "IDP Compromised" and Status has "New"

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c982bcc1-ef73-485b-80d5-2a637ce4ab2b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c982bcc1-ef73-485b-80d5-2a637ce4ab2b')]",
      "properties": {
        "alertRuleTemplateName": "c982bcc1-ef73-485b-80d5-2a637ce4ab2b",
        "customDetails": null,
        "description": "'This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.'\n",
        "displayName": "IDP Alert",
        "enabled": true,
        "entityMappings": null,
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml",
        "query": "SecurityIncident\n| where Title has \"Cvlt Alert\" and Description == \"IDP Compromised\" and Status has \"New\"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "tags": [
          "Commvault",
          "Metallic",
          "Threat Intelligence",
          "Ransomware"
        ],
        "techniques": [
          "T1531",
          "T1578"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}