Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

User Alert

Back
Id29e0767c-80ac-4689-9a2e-b25b9fc88fce
RulenameUser Alert
DescriptionThis query identifies users whose user account or credentials have been compromised.
SeverityMedium
TacticsDefenseEvasion
Impact
TechniquesT1578
T1531
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml
Version1.0.0
Arm template29e0767c-80ac-4689-9a2e-b25b9fc88fce.json
Deploy To Azure
SecurityIncident
| where Title has "Cvlt Alert" and Description has "User" and Description has "Compromised" and Status has "New"
| extend extracted_word = extract("User\\s(.*?)\\sCompromised", 1, Description)
| project TimeGenerated, Title, Description, Status
severity: Medium
name: User Alert
requiredDataConnectors: []
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
id: 29e0767c-80ac-4689-9a2e-b25b9fc88fce
tactics:
- DefenseEvasion
- Impact
queryFrequency: 5m
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml
description: |
    'This query identifies users whose user account or credentials have been compromised.'
triggerThreshold: 0
kind: Scheduled
relevantTechniques:
- T1578
- T1531
query: |
  SecurityIncident
  | where Title has "Cvlt Alert" and Description has "User" and Description has "Compromised" and Status has "New"
  | extend extracted_word = extract("User\\s(.*?)\\sCompromised", 1, Description)
  | project TimeGenerated, Title, Description, Status  
entityMappings: 
status: Available
version: 1.0.0
queryPeriod: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29e0767c-80ac-4689-9a2e-b25b9fc88fce')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29e0767c-80ac-4689-9a2e-b25b9fc88fce')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "User Alert",
        "description": "'This query identifies users whose user account or credentials have been compromised.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "SecurityIncident\n| where Title has \"Cvlt Alert\" and Description has \"User\" and Description has \"Compromised\" and Status has \"New\"\n| extend extracted_word = extract(\"User\\\\s(.*?)\\\\sCompromised\", 1, Description)\n| project TimeGenerated, Title, Description, Status\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "techniques": [
          "T1578",
          "T1531"
        ],
        "alertRuleTemplateName": "29e0767c-80ac-4689-9a2e-b25b9fc88fce",
        "customDetails": null,
        "entityMappings": null,
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml",
        "tags": [
          "Commvault",
          "Metallic",
          "Threat Intelligence",
          "Ransomware"
        ]
      }
    }
  ]
}