RSA ID Plus - Locked Administrator Account Detected
| Id | 488c759d-a82e-44cd-91bb-d766573918d7 |
| Rulename | RSA ID Plus - Locked Administrator Account Detected |
| Description | Raises an alert when an admin account is locked out of the Admin console (RSAIDPlus Admin Events). |
| Severity | Medium |
| Tactics | Impact CredentialAccess |
| Required data connectors | RSAIDPlus_AdminLogs_Connector |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RSAIDPlus_AdminLogs_Connector/Analytic Rules/RSAIDPlus_AdminLockoutAlert.yaml |
| Version | 1.0.0 |
| Arm template | 488c759d-a82e-44cd-91bb-d766573918d7.json |
RSAIDPlus_AdminLogs_CL
|where activityKey == 'LOCKED_ADMIN_ACCOUNT'
|project TimeGenerated, customerName, adminUserName, adminUserRole, activityKey, sourceIPAddress
name: RSA ID Plus - Locked Administrator Account Detected
eventGroupingSettings:
aggregationKind: SingleAlert
kind: Scheduled
id: 488c759d-a82e-44cd-91bb-d766573918d7
requiredDataConnectors:
- connectorId: RSAIDPlus_AdminLogs_Connector
dataTypes:
- RSAIDPlus_AdminLogs_CL
severity: Medium
triggerThreshold: 0
version: 1.0.0
description: |
'Raises an alert when an admin account is locked out of the Admin console (RSAIDPlus Admin Events).'
relevantTechniques: []
alertDetailsOverride:
alertDisplayNameFormat: RSA ID Plus Administrator - {{{adminUserName}} is locked out.
alertDescriptionFormat: 'Administrator - {{{adminUserName}} with Role - {{{adminUserRole}} got locked out of Admin Console at: {{{TimeGenerated}}'
queryPeriod: 1d
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: 2h
tactics:
- Impact
- CredentialAccess
customDetails:
Activity: activityKey
Administrator: adminUserName
Customer_Name: customerName
Administrator_Type: adminUserRole
queryFrequency: 30m
entityMappings:
- fieldMappings:
- identifier: Address
columnName: sourceIPAddress
entityType: IP
- fieldMappings:
- identifier: Name
columnName: adminUserName
entityType: Account
- fieldMappings:
- identifier: HostName
columnName: customerName
entityType: Host
status: Available
triggerOperator: GreaterThan
query: |
RSAIDPlus_AdminLogs_CL
|where activityKey == 'LOCKED_ADMIN_ACCOUNT'
|project TimeGenerated, customerName, adminUserName, adminUserRole, activityKey, sourceIPAddress
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RSAIDPlus_AdminLogs_Connector/Analytic Rules/RSAIDPlus_AdminLockoutAlert.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/488c759d-a82e-44cd-91bb-d766573918d7')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/488c759d-a82e-44cd-91bb-d766573918d7')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Administrator - {{{adminUserName}} with Role - {{{adminUserRole}} got locked out of Admin Console at: {{{TimeGenerated}}",
"alertDisplayNameFormat": "RSA ID Plus Administrator - {{{adminUserName}} is locked out."
},
"alertRuleTemplateName": "488c759d-a82e-44cd-91bb-d766573918d7",
"customDetails": {
"Activity": "activityKey",
"Administrator": "adminUserName",
"Administrator_Type": "adminUserRole",
"Customer_Name": "customerName"
},
"description": "'Raises an alert when an admin account is locked out of the Admin console (RSAIDPlus Admin Events).'\n",
"displayName": "RSA ID Plus - Locked Administrator Account Detected",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "sourceIPAddress",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "adminUserName",
"identifier": "Name"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "customerName",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"lookbackDuration": "PT2H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RSAIDPlus_AdminLogs_Connector/Analytic Rules/RSAIDPlus_AdminLockoutAlert.yaml",
"query": "RSAIDPlus_AdminLogs_CL\n|where activityKey == 'LOCKED_ADMIN_ACCOUNT'\n|project TimeGenerated, customerName, adminUserName, adminUserRole, activityKey, sourceIPAddress\n",
"queryFrequency": "PT30M",
"queryPeriod": "P1D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess",
"Impact"
],
"techniques": [],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}