Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Valimail Enforce - Email Authentication Key Deleted

Valimail Enforce - Email Authentication Key Deleted

Back
Id483078c6-d029-40f3-931a-30af0032008b
RulenameValimail Enforce - Email Authentication Key Deleted
DescriptionThis query searches for deletion of SPF delegations or DKIM keys, which are medium-severity events

that could degrade email authentication posture for a domain.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsValimailEnforce
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_AuthKeyChanged.yaml
Version1.0.0
Arm template483078c6-d029-40f3-931a-30af0032008b.json
Deploy To Azure
ValimailEnforceEvents_CL
| where EventSeverity == "Medium"
| where EventCategory in ("SPFConfiguration", "DKIMConfiguration")
| where IsHighValueEvent == true
| summarize
    EventCount = count(),
    FirstSeen = min(PerformedAt),
    LastSeen = max(PerformedAt),
    AffectedDomains = make_set(Subject),
    Actions = make_set(EventType)
  by User, EventCategory
| extend
    AccountName = tostring(split(User, "@")[0]),
    AccountDomain = tostring(split(User, "@")[1]),
    DomainName = tostring(AffectedDomains[0])

id: 483078c6-d029-40f3-931a-30af0032008b
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_AuthKeyChanged.yaml
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountDomain
  entityType: Account
- fieldMappings:
  - identifier: DomainName
    columnName: DomainName
  entityType: DNS
requiredDataConnectors:
- dataTypes:
  - ValimailEnforceEvents_CL
  connectorId: ValimailEnforce
queryFrequency: 1h
alertDetailsOverride:
  alertDisplayNameFormat: '{{EventCategory}} key deleted on {{EventCount}} domain(s) by {{User}}'
  alertDescriptionFormat: |
    User '{{User}}' deleted one or more {{EventCategory}} records affecting
    domains: {{AffectedDomains}}. This may weaken email authentication posture.    
queryPeriod: 1h
status: Available
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 1d
    reopenClosedIncident: false
    matchingMethod: Selected
    groupByEntities:
    - Account
    enabled: true
  createIncident: true
query: |
  ValimailEnforceEvents_CL
  | where EventSeverity == "Medium"
  | where EventCategory in ("SPFConfiguration", "DKIMConfiguration")
  | where IsHighValueEvent == true
  | summarize
      EventCount = count(),
      FirstSeen = min(PerformedAt),
      LastSeen = max(PerformedAt),
      AffectedDomains = make_set(Subject),
      Actions = make_set(EventType)
    by User, EventCategory
  | extend
      AccountName = tostring(split(User, "@")[0]),
      AccountDomain = tostring(split(User, "@")[1]),
      DomainName = tostring(AffectedDomains[0])  
name: Valimail Enforce - Email Authentication Key Deleted
kind: Scheduled
tactics:
- DefenseEvasion
severity: Medium
relevantTechniques:
- T1562
triggerThreshold: 0
version: 1.0.0
description: |
  This query searches for deletion of SPF delegations or DKIM keys, which are medium-severity events
  that could degrade email authentication posture for a domain.