RSA ID Plus - Locked Administrator Account Detected

Back


Id	488c759d-a82e-44cd-91bb-d766573918d7
Rulename	RSA ID Plus - Locked Administrator Account Detected
Description	Raises an alert when an admin account is locked out of the Admin console (RSAIDPlus Admin Events).
Severity	Medium
Tactics	Impact CredentialAccess
Required data connectors	RSAIDPlus_AdminLogs_Connector
Kind	Scheduled
Query frequency	30m
Query period	1d
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RSAIDPlus_AdminLogs_Connector/Analytic Rules/RSAIDPlus_AdminLockoutAlert.yaml
Version	1.0.0
Arm template	488c759d-a82e-44cd-91bb-d766573918d7.json

KQL

RSAIDPlus_AdminLogs_CL
|where activityKey == 'LOCKED_ADMIN_ACCOUNT'
|project TimeGenerated, customerName, adminUserName, adminUserRole, activityKey, sourceIPAddress

YAML

kind: Scheduled
eventGroupingSettings:
  aggregationKind: SingleAlert
alertDetailsOverride:
  alertDisplayNameFormat: RSA ID Plus Administrator - {{{adminUserName}} is locked out.
  alertDescriptionFormat: 'Administrator - {{{adminUserName}} with Role - {{{adminUserRole}} got locked out of Admin Console at: {{{TimeGenerated}}'
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: sourceIPAddress
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: adminUserName
    identifier: Name
- entityType: Host
  fieldMappings:
  - columnName: customerName
    identifier: HostName
description: |
    'Raises an alert when an admin account is locked out of the Admin console (RSAIDPlus Admin Events).'
severity: Medium
queryFrequency: 30m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 2h
    enabled: true
  createIncident: true
triggerThreshold: 0
relevantTechniques: []
status: Available
customDetails:
  Customer_Name: customerName
  Administrator: adminUserName
  Activity: activityKey
  Administrator_Type: adminUserRole
tactics:
- Impact
- CredentialAccess
name: RSA ID Plus - Locked Administrator Account Detected
id: 488c759d-a82e-44cd-91bb-d766573918d7
query: |
  RSAIDPlus_AdminLogs_CL
  |where activityKey == 'LOCKED_ADMIN_ACCOUNT'
  |project TimeGenerated, customerName, adminUserName, adminUserRole, activityKey, sourceIPAddress  
requiredDataConnectors:
- dataTypes:
  - RSAIDPlus_AdminLogs_CL
  connectorId: RSAIDPlus_AdminLogs_Connector
version: 1.0.0
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RSAIDPlus_AdminLogs_Connector/Analytic Rules/RSAIDPlus_AdminLockoutAlert.yaml
queryPeriod: 1d

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/488c759d-a82e-44cd-91bb-d766573918d7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/488c759d-a82e-44cd-91bb-d766573918d7')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Administrator - {{{adminUserName}} with Role - {{{adminUserRole}} got locked out of Admin Console at: {{{TimeGenerated}}",
          "alertDisplayNameFormat": "RSA ID Plus Administrator - {{{adminUserName}} is locked out."
        },
        "alertRuleTemplateName": "488c759d-a82e-44cd-91bb-d766573918d7",
        "customDetails": {
          "Activity": "activityKey",
          "Administrator": "adminUserName",
          "Administrator_Type": "adminUserRole",
          "Customer_Name": "customerName"
        },
        "description": "'Raises an alert when an admin account is locked out of the Admin console (RSAIDPlus Admin Events).'\n",
        "displayName": "RSA ID Plus - Locked Administrator Account Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "sourceIPAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "adminUserName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "customerName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT2H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RSAIDPlus_AdminLogs_Connector/Analytic Rules/RSAIDPlus_AdminLockoutAlert.yaml",
        "query": "RSAIDPlus_AdminLogs_CL\n|where activityKey == 'LOCKED_ADMIN_ACCOUNT'\n|project TimeGenerated, customerName, adminUserName, adminUserRole, activityKey, sourceIPAddress\n",
        "queryFrequency": "PT30M",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Impact"
        ],
        "techniques": [],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}