Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

User Alert

Back
Id29e0767c-80ac-4689-9a2e-b25b9fc88fce
RulenameUser Alert
DescriptionThis query identifies users whose user account or credentials have been compromised.
SeverityMedium
TacticsDefenseEvasion
Impact
TechniquesT1578
T1531
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml
Version1.0.0
Arm template29e0767c-80ac-4689-9a2e-b25b9fc88fce.json
Deploy To Azure
SecurityIncident
| where Title has "Cvlt Alert" and Description has "User" and Description has "Compromised" and Status has "New"
| extend extracted_word = extract("User\\s(.*?)\\sCompromised", 1, Description)
| project TimeGenerated, Title, Description, Status
queryPeriod: 5m
version: 1.0.0
tactics:
- DefenseEvasion
- Impact
queryFrequency: 5m
id: 29e0767c-80ac-4689-9a2e-b25b9fc88fce
triggerOperator: gt
requiredDataConnectors: []
severity: Medium
entityMappings: 
triggerThreshold: 0
relevantTechniques:
- T1578
- T1531
query: |
  SecurityIncident
  | where Title has "Cvlt Alert" and Description has "User" and Description has "Compromised" and Status has "New"
  | extend extracted_word = extract("User\\s(.*?)\\sCompromised", 1, Description)
  | project TimeGenerated, Title, Description, Status  
kind: Scheduled
name: User Alert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml
description: |
    'This query identifies users whose user account or credentials have been compromised.'
status: Available
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29e0767c-80ac-4689-9a2e-b25b9fc88fce')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29e0767c-80ac-4689-9a2e-b25b9fc88fce')]",
      "properties": {
        "alertRuleTemplateName": "29e0767c-80ac-4689-9a2e-b25b9fc88fce",
        "customDetails": null,
        "description": "'This query identifies users whose user account or credentials have been compromised.'\n",
        "displayName": "User Alert",
        "enabled": true,
        "entityMappings": null,
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml",
        "query": "SecurityIncident\n| where Title has \"Cvlt Alert\" and Description has \"User\" and Description has \"Compromised\" and Status has \"New\"\n| extend extracted_word = extract(\"User\\\\s(.*?)\\\\sCompromised\", 1, Description)\n| project TimeGenerated, Title, Description, Status\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "tags": [
          "Commvault",
          "Metallic",
          "Threat Intelligence",
          "Ransomware"
        ],
        "techniques": [
          "T1531",
          "T1578"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}