Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

User Alert

Back
Id29e0767c-80ac-4689-9a2e-b25b9fc88fce
RulenameUser Alert
DescriptionThis query identifies users whose user account or credentials have been compromised.
SeverityMedium
TacticsDefenseEvasion
Impact
TechniquesT1578
T1531
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml
Version1.0.0
Arm template29e0767c-80ac-4689-9a2e-b25b9fc88fce.json
Deploy To Azure
SecurityIncident
| where Title has "Cvlt Alert" and Description has "User" and Description has "Compromised" and Status has "New"
| extend extracted_word = extract("User\\s(.*?)\\sCompromised", 1, Description)
| project TimeGenerated, Title, Description, Status
description: |
    'This query identifies users whose user account or credentials have been compromised.'
tactics:
- DefenseEvasion
- Impact
requiredDataConnectors: []
version: 1.0.0
relevantTechniques:
- T1578
- T1531
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml
id: 29e0767c-80ac-4689-9a2e-b25b9fc88fce
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
severity: Medium
entityMappings: 
triggerThreshold: 0
queryFrequency: 5m
status: Available
queryPeriod: 5m
triggerOperator: gt
kind: Scheduled
query: |
  SecurityIncident
  | where Title has "Cvlt Alert" and Description has "User" and Description has "Compromised" and Status has "New"
  | extend extracted_word = extract("User\\s(.*?)\\sCompromised", 1, Description)
  | project TimeGenerated, Title, Description, Status  
name: User Alert
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29e0767c-80ac-4689-9a2e-b25b9fc88fce')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29e0767c-80ac-4689-9a2e-b25b9fc88fce')]",
      "properties": {
        "alertRuleTemplateName": "29e0767c-80ac-4689-9a2e-b25b9fc88fce",
        "customDetails": null,
        "description": "'This query identifies users whose user account or credentials have been compromised.'\n",
        "displayName": "User Alert",
        "enabled": true,
        "entityMappings": null,
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml",
        "query": "SecurityIncident\n| where Title has \"Cvlt Alert\" and Description has \"User\" and Description has \"Compromised\" and Status has \"New\"\n| extend extracted_word = extract(\"User\\\\s(.*?)\\\\sCompromised\", 1, Description)\n| project TimeGenerated, Title, Description, Status\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "tags": [
          "Commvault",
          "Metallic",
          "Threat Intelligence",
          "Ransomware"
        ],
        "techniques": [
          "T1531",
          "T1578"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}