Valimail Enforce - Email Authentication Key Deleted
| Id | 483078c6-d029-40f3-931a-30af0032008b |
| Rulename | Valimail Enforce - Email Authentication Key Deleted |
| Description | This query searches for deletion of SPF delegations or DKIM keys, which are medium-severity events that could degrade email authentication posture for a domain. |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T1562 |
| Required data connectors | ValimailEnforce |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_AuthKeyChanged.yaml |
| Version | 1.0.0 |
| Arm template | 483078c6-d029-40f3-931a-30af0032008b.json |
ValimailEnforceEvents_CL
| where EventSeverity == "Medium"
| where EventCategory in ("SPFConfiguration", "DKIMConfiguration")
| where IsHighValueEvent == true
| summarize
EventCount = count(),
FirstSeen = min(PerformedAt),
LastSeen = max(PerformedAt),
AffectedDomains = make_set(Subject),
Actions = make_set(EventType)
by User, EventCategory
| extend
AccountName = tostring(split(User, "@")[0]),
AccountDomain = tostring(split(User, "@")[1]),
DomainName = tostring(AffectedDomains[0])
status: Available
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
query: |
ValimailEnforceEvents_CL
| where EventSeverity == "Medium"
| where EventCategory in ("SPFConfiguration", "DKIMConfiguration")
| where IsHighValueEvent == true
| summarize
EventCount = count(),
FirstSeen = min(PerformedAt),
LastSeen = max(PerformedAt),
AffectedDomains = make_set(Subject),
Actions = make_set(EventType)
by User, EventCategory
| extend
AccountName = tostring(split(User, "@")[0]),
AccountDomain = tostring(split(User, "@")[1]),
DomainName = tostring(AffectedDomains[0])
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_AuthKeyChanged.yaml
tactics:
- DefenseEvasion
triggerThreshold: 0
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountDomain
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: DomainName
requiredDataConnectors:
- connectorId: ValimailEnforce
dataTypes:
- ValimailEnforceEvents_CL
alertDetailsOverride:
alertDescriptionFormat: |
User '{{User}}' deleted one or more {{EventCategory}} records affecting
domains: {{AffectedDomains}}. This may weaken email authentication posture.
alertDisplayNameFormat: '{{EventCategory}} key deleted on {{EventCount}} domain(s) by {{User}}'
relevantTechniques:
- T1562
description: |
This query searches for deletion of SPF delegations or DKIM keys, which are medium-severity events
that could degrade email authentication posture for a domain.
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
enabled: true
matchingMethod: Selected
lookbackDuration: 1d
groupByEntities:
- Account
createIncident: true
name: Valimail Enforce - Email Authentication Key Deleted
version: 1.0.0
kind: Scheduled
id: 483078c6-d029-40f3-931a-30af0032008b
severity: Medium