Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CyberArk - Sensitive SafePermissionEntitlement Changes with customData

CyberArk - Sensitive SafePermissionEntitlement Changes with customData

Back
Id30938118-8812-4b5f-afa4-a8d4ba2b5d86
RulenameCyberArk - Sensitive Safe/Permission/Entitlement Changes (with customData)
DescriptionAlerts on control-plane modifications: safes, permissions, roles, entitlements, policy changes. Leverages customData fields such as changeType/role/permission/policy/entitlement to reduce misses.
SeverityLow
TacticsPrivilegeEscalation
KindScheduled
Query frequency10M
Query period1D
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditSensitiveChanges.yaml
Version1.0.0
Arm template30938118-8812-4b5f-afa4-a8d4ba2b5d86.json
Deploy To Azure
let indicators = dynamic(["SafeMember","Permission","Access","ACL","Owner","Role","Entitlement","Policy"]);
let changeVerbs = dynamic(["grant","revoke","assign","elevate","enable","disable","remove","delete","update"]);
let actions = dynamic(["policy-add", "policy-change"]);
CyberArk_AuditEvents_CL
| extend cd = parse_json(tostring(customData))
| extend cd_changeType = tolower(tostring(cd.changeType)),
         cd_role       = tostring(cd.role),
         cd_perm       = tostring(cd.permission),
         cd_policy     = tostring(cd.policy),
         cd_entitle    = tostring(cd.entitlement),
         cd_description= tostring(cd.description),
         cd_action     = tostring(cd.action)
| where 
    action has_any(actions) and
    (auditType has_any (indicators)
    or message has_any (indicators)
    or cd_description has_any (indicators)
    or cd_action has_any (indicators)
    or cd_role !~ "" or cd_perm !~ "" or cd_policy !~ "" or cd_entitle !~ ""
    or cd_changeType in (changeVerbs))
| project TimeGenerated, CyberArkTenantId, serviceName, username, userId, safe,
          action, actionType, auditType,
          cd_action, cd_description, cd_changeType, cd_role, cd_perm, cd_policy, cd_entitle,
          target, message

kind: Scheduled
triggerThreshold: 0
triggerOperator: GreaterThan
version: 1.0.0
tactics:
- PrivilegeEscalation
queryFrequency: 10M
id: 30938118-8812-4b5f-afa4-a8d4ba2b5d86
suppressionEnabled: false
name: CyberArk - Sensitive Safe/Permission/Entitlement Changes (with customData)
description: |
    Alerts on control-plane modifications: safes, permissions, roles, entitlements, policy changes. Leverages customData fields such as changeType/role/permission/policy/entitlement to reduce misses.
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: username
    identifier: FullName
- entityType: Host
  fieldMappings:
  - columnName: target
    identifier: HostName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditSensitiveChanges.yaml
queryPeriod: 1D
severity: Low
query: |
  let indicators = dynamic(["SafeMember","Permission","Access","ACL","Owner","Role","Entitlement","Policy"]);
  let changeVerbs = dynamic(["grant","revoke","assign","elevate","enable","disable","remove","delete","update"]);
  let actions = dynamic(["policy-add", "policy-change"]);
  CyberArk_AuditEvents_CL
  | extend cd = parse_json(tostring(customData))
  | extend cd_changeType = tolower(tostring(cd.changeType)),
           cd_role       = tostring(cd.role),
           cd_perm       = tostring(cd.permission),
           cd_policy     = tostring(cd.policy),
           cd_entitle    = tostring(cd.entitlement),
           cd_description= tostring(cd.description),
           cd_action     = tostring(cd.action)
  | where 
      action has_any(actions) and
      (auditType has_any (indicators)
      or message has_any (indicators)
      or cd_description has_any (indicators)
      or cd_action has_any (indicators)
      or cd_role !~ "" or cd_perm !~ "" or cd_policy !~ "" or cd_entitle !~ ""
      or cd_changeType in (changeVerbs))
  | project TimeGenerated, CyberArkTenantId, serviceName, username, userId, safe,
            action, actionType, auditType,
            cd_action, cd_description, cd_changeType, cd_role, cd_perm, cd_policy, cd_entitle,
            target, message