let risky = dynamic(["Delete","Remove","Rotate","Elevate","Disable","Grant","Policy","Safe","Vault","Key"]);
CyberArk_AuditEvents_CL
| where isnotempty(action) or isnotempty(actionType) or isnotempty(auditType) or isnotempty(message)
| where hourofday(TimeGenerated) < 7 or hourofday(TimeGenerated) > 20
| where action has_any (risky) or actionType has_any (risky) or auditType has_any (risky) or message has_any (risky)
| extend cd = parse_json(customData)
| extend cd_username = tostring(cd.username),
cd_auth_method = tostring(cd.authentication_method),
cd_client_ip = tostring(cd.client_ip_address),
cd_source_ip = tostring(cd.source_ip_address),
cd_device_os = tostring(cd.device_os),
cd_browser = tostring(cd.browser_name),
cd_geo_city = tostring(cd.geoip_city_name),
cd_geo_country = tostring(cd.geoip_country_name),
cd_target = coalesce(tostring(cd.target), tostring(cd.target_resource), tostring(cd.new_target))
| project TimeGenerated, CyberArkTenantId, username, cd_username, identityType, action, actionType, auditType,
target, targetAccount, safe, source, cd_source_ip, cd_client_ip, cd_auth_method, cd_device_os,
cd_browser, cd_geo_city, cd_geo_country, cd_target, component, serviceName, message
kind: Scheduled
triggerThreshold: 0
triggerOperator: GreaterThan
version: 1.0.0
tactics:
- DefenseEvasion
queryFrequency: 10M
id: 3733e1ac-991b-4504-99e8-24ff4fbaf6e4
suppressionEnabled: false
name: CyberArk - High-Risk Actions Outside Business Hours
description: |
Detects privileged or destructive actions (delete/disable/rotate/elevate/etc.) occurring outside standard business hours. Useful for insider misuse or compromised admin detection.
entityMappings:
- entityType: Account
fieldMappings:
- columnName: username
identifier: FullName
- entityType: Host
fieldMappings:
- columnName: target
identifier: HostName
- entityType: IP
fieldMappings:
- columnName: source
identifier: Address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditHighRiskActions.yaml
queryPeriod: 1D
severity: High
query: |
let risky = dynamic(["Delete","Remove","Rotate","Elevate","Disable","Grant","Policy","Safe","Vault","Key"]);
CyberArk_AuditEvents_CL
| where isnotempty(action) or isnotempty(actionType) or isnotempty(auditType) or isnotempty(message)
| where hourofday(TimeGenerated) < 7 or hourofday(TimeGenerated) > 20
| where action has_any (risky) or actionType has_any (risky) or auditType has_any (risky) or message has_any (risky)
| extend cd = parse_json(customData)
| extend cd_username = tostring(cd.username),
cd_auth_method = tostring(cd.authentication_method),
cd_client_ip = tostring(cd.client_ip_address),
cd_source_ip = tostring(cd.source_ip_address),
cd_device_os = tostring(cd.device_os),
cd_browser = tostring(cd.browser_name),
cd_geo_city = tostring(cd.geoip_city_name),
cd_geo_country = tostring(cd.geoip_country_name),
cd_target = coalesce(tostring(cd.target), tostring(cd.target_resource), tostring(cd.new_target))
| project TimeGenerated, CyberArkTenantId, username, cd_username, identityType, action, actionType, auditType,
target, targetAccount, safe, source, cd_source_ip, cd_client_ip, cd_auth_method, cd_device_os,
cd_browser, cd_geo_city, cd_geo_country, cd_target, component, serviceName, message
