Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SailPointIdentityNowEventTypeTechnicalName

SailPointIdentityNowEventTypeTechnicalName

Back
Id2151e8ea-4838-4c74-be12-4d6a950dde7a
RulenameSailPointIdentityNowEventTypeTechnicalName
DescriptionCreated to detect new threat events from the data in SailPointIDN_Events.
SeverityHigh
TacticsInitialAccess
TechniquesT1133
Required data connectorsSailPointIdentityNow
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SailPointIdentityNow/Analytic Rules/SailPointIdentityNowEventTypeTechnicalName.yaml
Version1.0.0
Arm template2151e8ea-4838-4c74-be12-4d6a950dde7a.json
Deploy To Azure
declare query_parameters(lbperiod:timespan = 14d, technicalName:string = "ENTITLEMENT_ADD_FAILED", type:string = 'ACCESS_ITEM');
  SailPointIDN_Events_CL
  | where TimeGenerated > ago(lbperiod)
  | where type_s == type
  | where technicalName_s == technicalName
  | where status_s == "FAILED"
  | sort by created_t

name: SailPointIdentityNowEventTypeTechnicalName
query: |
  declare query_parameters(lbperiod:timespan = 14d, technicalName:string = "ENTITLEMENT_ADD_FAILED", type:string = 'ACCESS_ITEM');
    SailPointIDN_Events_CL
    | where TimeGenerated > ago(lbperiod)
    | where type_s == type
    | where technicalName_s == technicalName
    | where status_s == "FAILED"
    | sort by created_t  
queryFrequency: 1d
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - SailPointIDN_Events_CL
  connectorId: SailPointIdentityNow
status: Available
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: technicalName_s
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SailPointIdentityNow/Analytic Rules/SailPointIdentityNowEventTypeTechnicalName.yaml
description: |
    'Created to detect new threat events from the data in SailPointIDN_Events.'
version: 1.0.0
id: 2151e8ea-4838-4c74-be12-4d6a950dde7a
kind: Scheduled
relevantTechniques:
- T1133
severity: High
tactics:
- InitialAccess
queryPeriod: 14d