declare query_parameters(lbperiod:timespan = 14d, technicalName:string = "ENTITLEMENT_ADD_FAILED", type:string = 'ACCESS_ITEM');
SailPointIDN_Events_CL
| where TimeGenerated > ago(lbperiod)
| where type_s == type
| where technicalName_s == technicalName
| where status_s == "FAILED"
| sort by created_t
query: |
declare query_parameters(lbperiod:timespan = 14d, technicalName:string = "ENTITLEMENT_ADD_FAILED", type:string = 'ACCESS_ITEM');
SailPointIDN_Events_CL
| where TimeGenerated > ago(lbperiod)
| where type_s == type
| where technicalName_s == technicalName
| where status_s == "FAILED"
| sort by created_t
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SailPointIdentityNow/Analytic Rules/SailPointIdentityNowEventTypeTechnicalName.yaml
status: Available
description: |
'Created to detect new threat events from the data in SailPointIDN_Events.'
queryFrequency: 1d
name: SailPointIdentityNowEventTypeTechnicalName
kind: Scheduled
triggerThreshold: 0
id: 2151e8ea-4838-4c74-be12-4d6a950dde7a
requiredDataConnectors:
- connectorId: SailPointIdentityNow
dataTypes:
- SailPointIDN_Events_CL
severity: High
queryPeriod: 14d
entityMappings:
- fieldMappings:
- columnName: technicalName_s
identifier: Name
entityType: Account
relevantTechniques:
- T1133
tactics:
- InitialAccess
