Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SailPointIdentityNowUserWithFailedEvent

SailPointIdentityNowUserWithFailedEvent

Back
Id2a215222-bfc5-4858-a530-6d4088ebfa15
RulenameSailPointIdentityNowUserWithFailedEvent
DescriptionDetects any failed event for a particular user.
SeverityHigh
TacticsInitialAccess
TechniquesT1133
Required data connectorsSailPointIdentityNow
SailPointIdentityNowConnector
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SailPointIdentityNow/Analytic Rules/SailPointIdentityNowUserWithFailedEvents.yaml
Version1.1.0
Arm template2a215222-bfc5-4858-a530-6d4088ebfa15.json
Deploy To Azure
declare query_parameters(lbperiod:timespan = 14d, type:string = "ACCESS_ITEM", actorName:string = "test.tester", targetName:string = "test.tester");
  SailPointIDN_Events
  | where TimeGenerated > ago(lbperiod)
  | where EventType == type
  | where Status == "FAILED"
  | where ActorName == actorName
  | where TargetName == targetName
  | sort by Created

relevantTechniques:
- T1133
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: TechnicalName
    identifier: Name
version: 1.1.0
id: 2a215222-bfc5-4858-a530-6d4088ebfa15
severity: High
kind: Scheduled
queryFrequency: 1d
description: |
    'Detects any failed event for a particular user.'
requiredDataConnectors:
- connectorId: SailPointIdentityNow
  dataTypes:
  - SailPointIDN_Events
- connectorId: SailPointIdentityNowConnector
  dataTypes:
  - SailPointIDN_Events
triggerOperator: gt
name: SailPointIdentityNowUserWithFailedEvent
tactics:
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SailPointIdentityNow/Analytic Rules/SailPointIdentityNowUserWithFailedEvents.yaml
triggerThreshold: 0
queryPeriod: 14d
query: |
  declare query_parameters(lbperiod:timespan = 14d, type:string = "ACCESS_ITEM", actorName:string = "test.tester", targetName:string = "test.tester");
    SailPointIDN_Events
    | where TimeGenerated > ago(lbperiod)
    | where EventType == type
    | where Status == "FAILED"
    | where ActorName == actorName
    | where TargetName == targetName
    | sort by Created  
status: Available