Unauthorized Association High

Back


Id	0e90d290-2422-49a8-8025-a24dd453e48e
Rulename	Unauthorized Association (High)
Description	New Unauthorized Association with severity High found
Severity	High
Tactics	CredentialAccess
Techniques	T1557
Required data connectors	CBSPollingIDAzureFunctions
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/unauthorized_association_high.yaml
Version	1.0.0
Arm template	0e90d290-2422-49a8-8025-a24dd453e48e.json

KQL

CBSLog_Azure_1_CL | where severity_s == "High" | where type_s == "Unauthorized Association" | where status_s != "Closed" or status_s != "Resolved"

YAML

requiredDataConnectors:
- connectorId: CBSPollingIDAzureFunctions
  dataTypes:
  - CBSLog_Azure_1_CL
tactics:
- CredentialAccess
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    reopenClosedIncident: false
description: New Unauthorized Association with severity High found
query: CBSLog_Azure_1_CL | where severity_s == "High" | where type_s == "Unauthorized Association" | where status_s != "Closed" or status_s != "Resolved"
id: 0e90d290-2422-49a8-8025-a24dd453e48e
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: SingleAlert
relevantTechniques:
- T1557
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/unauthorized_association_high.yaml
queryFrequency: 5m
severity: High
name: Unauthorized Association (High)
suppressionEnabled: false
suppressionDuration: 5h
queryPeriod: 5m
kind: Scheduled
triggerThreshold: 0
version: 1.0.0
status: Available

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0e90d290-2422-49a8-8025-a24dd453e48e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0e90d290-2422-49a8-8025-a24dd453e48e')]",
      "properties": {
        "alertRuleTemplateName": "0e90d290-2422-49a8-8025-a24dd453e48e",
        "customDetails": null,
        "description": "New Unauthorized Association with severity High found",
        "displayName": "Unauthorized Association (High)",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/unauthorized_association_high.yaml",
        "query": "CBSLog_Azure_1_CL | where severity_s == \"High\" | where type_s == \"Unauthorized Association\" | where status_s != \"Closed\" or status_s != \"Resolved\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1557"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}