Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Bitglass - User Agent string has changed for user

Back
Id4dd61530-859f-49e7-bd27-a173cb1a4589
RulenameBitglass - User Agent string has changed for user
DescriptionDetects when User Agent string has changed for user.
SeverityMedium
TacticsInitialAccess
TechniquesT1078
Required data connectorsBitglass
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassUserUAChanged.yaml
Version1.0.0
Arm template4dd61530-859f-49e7-bd27-a173cb1a4589.json
Deploy To Azure
Bitglass
| where EventType =~ 'access'
| where EventMessage =~ 'Login'
| summarize ua = makeset(HttpUserAgent) by User
| join (Bitglass
        | where EventType =~ 'access'
        | where EventMessage =~ 'Login') on User
| where ua !contains HttpUserAgent
| extend AccountCustomEntity = User
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
queryFrequency: 1h
name: Bitglass - User Agent string has changed for user
kind: Scheduled
tactics:
- InitialAccess
triggerThreshold: 0
query: |
  Bitglass
  | where EventType =~ 'access'
  | where EventMessage =~ 'Login'
  | summarize ua = makeset(HttpUserAgent) by User
  | join (Bitglass
          | where EventType =~ 'access'
          | where EventMessage =~ 'Login') on User
  | where ua !contains HttpUserAgent
  | extend AccountCustomEntity = User  
relevantTechniques:
- T1078
triggerOperator: gt
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassUserUAChanged.yaml
severity: Medium
status: Available
id: 4dd61530-859f-49e7-bd27-a173cb1a4589
requiredDataConnectors:
- connectorId: Bitglass
  dataTypes:
  - Bitglass
version: 1.0.0
description: |
    'Detects when User Agent string has changed for user.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4dd61530-859f-49e7-bd27-a173cb1a4589')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4dd61530-859f-49e7-bd27-a173cb1a4589')]",
      "properties": {
        "alertRuleTemplateName": "4dd61530-859f-49e7-bd27-a173cb1a4589",
        "customDetails": null,
        "description": "'Detects when User Agent string has changed for user.'\n",
        "displayName": "Bitglass - User Agent string has changed for user",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassUserUAChanged.yaml",
        "query": "Bitglass\n| where EventType =~ 'access'\n| where EventMessage =~ 'Login'\n| summarize ua = makeset(HttpUserAgent) by User\n| join (Bitglass\n        | where EventType =~ 'access'\n        | where EventMessage =~ 'Login') on User\n| where ua !contains HttpUserAgent\n| extend AccountCustomEntity = User\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}