Alsid Indicators of Exposures

Back


Id	154fde9f-ae00-4422-a8da-ef00b11da3fc
Rulename	Alsid Indicators of Exposures
Description	Searches for triggered Indicators of Exposures
Severity	Low
Tactics	CredentialAccess
Techniques	T1110
Required data connectors	AlsidForAD
Kind	Scheduled
Query frequency	2h
Query period	2h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/IndicatorsOfExposures.yaml
Version	1.0.1
Arm template	154fde9f-ae00-4422-a8da-ef00b11da3fc.json

KQL

let SeverityTable=datatable(Severity:string,Level:int) [
"low", 1,
"medium", 2,
"high", 3,
"critical", 4
];
afad_parser
| where MessageType == 0
| lookup kind=leftouter SeverityTable on Severity
| order by Level
| extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))

YAML

entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
kind: Scheduled
tactics:
- CredentialAccess
query: |
  let SeverityTable=datatable(Severity:string,Level:int) [
  "low", 1,
  "medium", 2,
  "high", 3,
  "critical", 4
  ];
  afad_parser
  | where MessageType == 0
  | lookup kind=leftouter SeverityTable on Severity
  | order by Level
  | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))  
name: Alsid Indicators of Exposures
queryFrequency: 2h
queryPeriod: 2h
triggerThreshold: 0
triggerOperator: gt
severity: Low
relevantTechniques:
- T1110
requiredDataConnectors:
- connectorId: AlsidForAD
  dataTypes:
  - AlsidForADLog_CL
version: 1.0.1
status: Available
description: |
    'Searches for triggered Indicators of Exposures'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/IndicatorsOfExposures.yaml
id: 154fde9f-ae00-4422-a8da-ef00b11da3fc

ARM