Bitglass - User Agent string has changed for user

Back


Id	4dd61530-859f-49e7-bd27-a173cb1a4589
Rulename	Bitglass - User Agent string has changed for user
Description	Detects when User Agent string has changed for user.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Required data connectors	Bitglass
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassUserUAChanged.yaml
Version	1.0.0
Arm template	4dd61530-859f-49e7-bd27-a173cb1a4589.json

KQL

Bitglass
| where EventType =~ 'access'
| where EventMessage =~ 'Login'
| summarize ua = makeset(HttpUserAgent) by User
| join (Bitglass
        | where EventType =~ 'access'
        | where EventMessage =~ 'Login') on User
| where ua !contains HttpUserAgent
| extend AccountCustomEntity = User

YAML

relevantTechniques:
- T1078
name: Bitglass - User Agent string has changed for user
requiredDataConnectors:
- dataTypes:
  - Bitglass
  connectorId: Bitglass
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
triggerThreshold: 0
id: 4dd61530-859f-49e7-bd27-a173cb1a4589
tactics:
- InitialAccess
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassUserUAChanged.yaml
queryPeriod: 14d
kind: Scheduled
queryFrequency: 1h
severity: Medium
status: Available
description: |
    'Detects when User Agent string has changed for user.'
query: |
  Bitglass
  | where EventType =~ 'access'
  | where EventMessage =~ 'Login'
  | summarize ua = makeset(HttpUserAgent) by User
  | join (Bitglass
          | where EventType =~ 'access'
          | where EventMessage =~ 'Login') on User
  | where ua !contains HttpUserAgent
  | extend AccountCustomEntity = User  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4dd61530-859f-49e7-bd27-a173cb1a4589')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4dd61530-859f-49e7-bd27-a173cb1a4589')]",
      "properties": {
        "alertRuleTemplateName": "4dd61530-859f-49e7-bd27-a173cb1a4589",
        "customDetails": null,
        "description": "'Detects when User Agent string has changed for user.'\n",
        "displayName": "Bitglass - User Agent string has changed for user",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassUserUAChanged.yaml",
        "query": "Bitglass\n| where EventType =~ 'access'\n| where EventMessage =~ 'Login'\n| summarize ua = makeset(HttpUserAgent) by User\n| join (Bitglass\n        | where EventType =~ 'access'\n        | where EventMessage =~ 'Login') on User\n| where ua !contains HttpUserAgent\n| extend AccountCustomEntity = User\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}