Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Bitglass - Multiple files shared with external entity

Back
Id09690f9b-33d1-4372-a6aa-eb7d3b3cdebc
RulenameBitglass - Multiple files shared with external entity
DescriptionDetects when multiple files shared with external entity.
SeverityMedium
TacticsExfiltration
TechniquesT1567
Required data connectorsBitglass
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassFilesSharedWithExternal.yaml
Version1.0.0
Arm template09690f9b-33d1-4372-a6aa-eb7d3b3cdebc.json
Deploy To Azure
let threshold = 5;
Bitglass
| where EventType =~ 'cloudaudit'
| where Action =~ 'Action  DLPScan'
| where EventMessage has_all ('External', 'Shared', 'DLP')
| summarize f_cnt = makeset(SrcFileName) by User, bin(TimeGenerated, 10m)
| where array_length(f_cnt) >= threshold
| extend AccountCustomEntity = User
version: 1.0.0
severity: Medium
queryFrequency: 1h
triggerOperator: gt
relevantTechniques:
- T1567
status: Available
kind: Scheduled
triggerThreshold: 0
query: |
  let threshold = 5;
  Bitglass
  | where EventType =~ 'cloudaudit'
  | where Action =~ 'Action  DLPScan'
  | where EventMessage has_all ('External', 'Shared', 'DLP')
  | summarize f_cnt = makeset(SrcFileName) by User, bin(TimeGenerated, 10m)
  | where array_length(f_cnt) >= threshold
  | extend AccountCustomEntity = User  
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
name: Bitglass - Multiple files shared with external entity
queryPeriod: 1h
description: |
    'Detects when multiple files shared with external entity.'
requiredDataConnectors:
- dataTypes:
  - Bitglass
  connectorId: Bitglass
id: 09690f9b-33d1-4372-a6aa-eb7d3b3cdebc
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassFilesSharedWithExternal.yaml
tactics:
- Exfiltration
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/09690f9b-33d1-4372-a6aa-eb7d3b3cdebc')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/09690f9b-33d1-4372-a6aa-eb7d3b3cdebc')]",
      "properties": {
        "alertRuleTemplateName": "09690f9b-33d1-4372-a6aa-eb7d3b3cdebc",
        "customDetails": null,
        "description": "'Detects when multiple files shared with external entity.'\n",
        "displayName": "Bitglass - Multiple files shared with external entity",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassFilesSharedWithExternal.yaml",
        "query": "let threshold = 5;\nBitglass\n| where EventType =~ 'cloudaudit'\n| where Action =~ 'Action  DLPScan'\n| where EventMessage has_all ('External', 'Shared', 'DLP')\n| summarize f_cnt = makeset(SrcFileName) by User, bin(TimeGenerated, 10m)\n| where array_length(f_cnt) >= threshold\n| extend AccountCustomEntity = User\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1567"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}