declare query_parameters(lbperiod:timespan = 14d, technicalName:string = "ENTITLEMENT_ADD_FAILED", type:string = 'ACCESS_ITEM');
SailPointIDN_Events_CL
| where TimeGenerated > ago(lbperiod)
| where type_s == type
| where technicalName_s == technicalName
| where status_s == "FAILED"
| sort by created_t
description: |
'Created to detect new threat events from the data in SailPointIDN_Events.'
version: 1.0.0
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SailPointIdentityNow/Analytic Rules/SailPointIdentityNowEventTypeTechnicalName.yaml
triggerOperator: gt
status: Available
id: 2151e8ea-4838-4c74-be12-4d6a950dde7a
name: SailPointIdentityNowEventTypeTechnicalName
queryFrequency: 1d
severity: High
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: technicalName_s
identifier: Name
entityType: Account
relevantTechniques:
- T1133
query: |
declare query_parameters(lbperiod:timespan = 14d, technicalName:string = "ENTITLEMENT_ADD_FAILED", type:string = 'ACCESS_ITEM');
SailPointIDN_Events_CL
| where TimeGenerated > ago(lbperiod)
| where type_s == type
| where technicalName_s == technicalName
| where status_s == "FAILED"
| sort by created_t
requiredDataConnectors:
- dataTypes:
- SailPointIDN_Events_CL
connectorId: SailPointIdentityNow
