Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Valimail Enforce - Email Authentication Key Deleted

Valimail Enforce - Email Authentication Key Deleted

Back
Id483078c6-d029-40f3-931a-30af0032008b
RulenameValimail Enforce - Email Authentication Key Deleted
DescriptionThis query searches for deletion of SPF delegations or DKIM keys, which are medium-severity events

that could degrade email authentication posture for a domain.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsValimailEnforce
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_AuthKeyChanged.yaml
Version1.0.0
Arm template483078c6-d029-40f3-931a-30af0032008b.json
Deploy To Azure
ValimailEnforceEvents_CL
| where EventSeverity == "Medium"
| where EventCategory in ("SPFConfiguration", "DKIMConfiguration")
| where IsHighValueEvent == true
| summarize
    EventCount = count(),
    FirstSeen = min(PerformedAt),
    LastSeen = max(PerformedAt),
    AffectedDomains = make_set(Subject),
    Actions = make_set(EventType)
  by User, EventCategory
| extend
    AccountName = tostring(split(User, "@")[0]),
    AccountDomain = tostring(split(User, "@")[1]),
    DomainName = tostring(AffectedDomains[0])

relevantTechniques:
- T1562
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: UPNSuffix
- entityType: DNS
  fieldMappings:
  - columnName: DomainName
    identifier: DomainName
version: 1.0.0
id: 483078c6-d029-40f3-931a-30af0032008b
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
  This query searches for deletion of SPF delegations or DKIM keys, which are medium-severity events
  that could degrade email authentication posture for a domain.  
requiredDataConnectors:
- connectorId: ValimailEnforce
  dataTypes:
  - ValimailEnforceEvents_CL
triggerOperator: gt
name: Valimail Enforce - Email Authentication Key Deleted
tactics:
- DefenseEvasion
alertDetailsOverride:
  alertDescriptionFormat: |
    User '{{User}}' deleted one or more {{EventCategory}} records affecting
    domains: {{AffectedDomains}}. This may weaken email authentication posture.    
  alertDisplayNameFormat: '{{EventCategory}} key deleted on {{EventCount}} domain(s) by {{User}}'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_AuthKeyChanged.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
  ValimailEnforceEvents_CL
  | where EventSeverity == "Medium"
  | where EventCategory in ("SPFConfiguration", "DKIMConfiguration")
  | where IsHighValueEvent == true
  | summarize
      EventCount = count(),
      FirstSeen = min(PerformedAt),
      LastSeen = max(PerformedAt),
      AffectedDomains = make_set(Subject),
      Actions = make_set(EventType)
    by User, EventCategory
  | extend
      AccountName = tostring(split(User, "@")[0]),
      AccountDomain = tostring(split(User, "@")[1]),
      DomainName = tostring(AffectedDomains[0])  
status: Available
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: Selected
    groupByEntities:
    - Account
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: 1d