SailPointIdentityNowEventType
| Id | 48bb92e2-bad4-4fd4-9684-26cb188299b7 |
| Rulename | SailPointIdentityNowEventType |
| Description | Created to detect failed events of particular type from SailPointIDN_Events. |
| Severity | High |
| Tactics | InitialAccess |
| Techniques | T1133 |
| Required data connectors | SailPointIdentityNow SailPointIdentityNowConnector |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SailPointIdentityNow/Analytic Rules/SailPointIdentityNowEventType.yaml |
| Version | 1.1.0 |
| Arm template | 48bb92e2-bad4-4fd4-9684-26cb188299b7.json |
declare query_parameters(lbperiod:timespan = 14d, type:string = "ACCESS_ITEM");
SailPointIDN_Events
| where TimeGenerated > ago(lbperiod)
| where EventType == type
| where Status == "FAILED"
| sort by Created
entityMappings:
- fieldMappings:
- columnName: TechnicalName
identifier: Name
entityType: Account
triggerOperator: gt
tactics:
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SailPointIdentityNow/Analytic Rules/SailPointIdentityNowEventType.yaml
version: 1.1.0
query: |
declare query_parameters(lbperiod:timespan = 14d, type:string = "ACCESS_ITEM");
SailPointIDN_Events
| where TimeGenerated > ago(lbperiod)
| where EventType == type
| where Status == "FAILED"
| sort by Created
triggerThreshold: 0
relevantTechniques:
- T1133
queryPeriod: 14d
status: Available
severity: High
kind: Scheduled
name: SailPointIdentityNowEventType
queryFrequency: 1d
id: 48bb92e2-bad4-4fd4-9684-26cb188299b7
description: |
'Created to detect failed events of particular type from SailPointIDN_Events.'
requiredDataConnectors:
- dataTypes:
- SailPointIDN_Events
connectorId: SailPointIdentityNow
- dataTypes:
- SailPointIDN_Events
connectorId: SailPointIdentityNowConnector