Unauthorized Association Medium

Back


Id	4999feef-84af-4510-a2c8-91265873b552
Rulename	Unauthorized Association (Medium)
Description	New Unauthorized Association with severity Medium found
Severity	Medium
Tactics	CredentialAccess
Techniques	T1557
Required data connectors	CBSPollingIDAzureFunctions
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/unauthorized_association_medium.yaml
Version	1.0.0
Arm template	4999feef-84af-4510-a2c8-91265873b552.json

KQL

CBSLog_Azure_1_CL | where severity_s == "Medium" | where type_s == "Unauthorized Association" | where status_s != "Closed" or status_s != "Resolved"

YAML

suppressionEnabled: false
status: Available
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/unauthorized_association_medium.yaml
eventGroupingSettings:
  aggregationKind: SingleAlert
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
  createIncident: true
description: New Unauthorized Association with severity Medium found
triggerOperator: gt
tactics:
- CredentialAccess
queryPeriod: 5m
triggerThreshold: 0
id: 4999feef-84af-4510-a2c8-91265873b552
severity: Medium
requiredDataConnectors:
- connectorId: CBSPollingIDAzureFunctions
  dataTypes:
  - CBSLog_Azure_1_CL
version: 1.0.0
query: CBSLog_Azure_1_CL | where severity_s == "Medium" | where type_s == "Unauthorized Association" | where status_s != "Closed" or status_s != "Resolved"
name: Unauthorized Association (Medium)
suppressionDuration: 5h
relevantTechniques:
- T1557
kind: Scheduled

ARM