Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

User Alert

Back
Id29e0767c-80ac-4689-9a2e-b25b9fc88fce
RulenameUser Alert
DescriptionThis query identifies users whose user account or credentials have been compromised.
SeverityMedium
TacticsDefenseEvasion
Impact
TechniquesT1578
T1531
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml
Version1.0.0
Arm template29e0767c-80ac-4689-9a2e-b25b9fc88fce.json
Deploy To Azure
SecurityIncident
| where Title has "Cvlt Alert" and Description has "User" and Description has "Compromised" and Status has "New"
| extend extracted_word = extract("User\\s(.*?)\\sCompromised", 1, Description)
| project TimeGenerated, Title, Description, Status
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
status: Available
triggerThreshold: 0
relevantTechniques:
- T1578
- T1531
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml
requiredDataConnectors: []
queryPeriod: 5m
tactics:
- DefenseEvasion
- Impact
severity: Medium
triggerOperator: gt
description: |
    'This query identifies users whose user account or credentials have been compromised.'
query: |
  SecurityIncident
  | where Title has "Cvlt Alert" and Description has "User" and Description has "Compromised" and Status has "New"
  | extend extracted_word = extract("User\\s(.*?)\\sCompromised", 1, Description)
  | project TimeGenerated, Title, Description, Status  
name: User Alert
version: 1.0.0
kind: Scheduled
id: 29e0767c-80ac-4689-9a2e-b25b9fc88fce
queryFrequency: 5m
entityMappings: 
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29e0767c-80ac-4689-9a2e-b25b9fc88fce')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29e0767c-80ac-4689-9a2e-b25b9fc88fce')]",
      "properties": {
        "alertRuleTemplateName": "29e0767c-80ac-4689-9a2e-b25b9fc88fce",
        "customDetails": null,
        "description": "'This query identifies users whose user account or credentials have been compromised.'\n",
        "displayName": "User Alert",
        "enabled": true,
        "entityMappings": null,
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml",
        "query": "SecurityIncident\n| where Title has \"Cvlt Alert\" and Description has \"User\" and Description has \"Compromised\" and Status has \"New\"\n| extend extracted_word = extract(\"User\\\\s(.*?)\\\\sCompromised\", 1, Description)\n| project TimeGenerated, Title, Description, Status\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "tags": [
          "Commvault",
          "Metallic",
          "Threat Intelligence",
          "Ransomware"
        ],
        "techniques": [
          "T1531",
          "T1578"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}