SenservaPro AD Applications Not Using Client Credentials

Back


Id	56910d7b-aae7-452c-a3ed-89f72ef59234
Rulename	SenservaPro AD Applications Not Using Client Credentials
Description	Searches for logs of AD Applications without Client Credentials (Key or Secret)
Severity	Medium
Tactics	Impact
Techniques	T1529 T1485
Required data connectors	SenservaPro
Kind	Scheduled
Query frequency	6h
Query period	6h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/AppsNoClientCredentials.yaml
Version	1.0.0
Arm template	56910d7b-aae7-452c-a3ed-89f72ef59234.json

KQL

SenservaPro_CL
| where ControlName_s == 'ApplicationNotUsingClientCredentials'

YAML

description: |
    'Searches for logs of AD Applications without Client Credentials (Key or Secret)'
triggerThreshold: 0
queryPeriod: 6h
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1529
- T1485
query: |
  SenservaPro_CL
  | where ControlName_s == 'ApplicationNotUsingClientCredentials'  
queryFrequency: 6h
requiredDataConnectors:
- connectorId: SenservaPro
  dataTypes:
  - SenservaPro_CL
name: SenservaPro AD Applications Not Using Client Credentials
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: ControlName_s
  - identifier: AadTenantId
    columnName: TenantId
  - identifier: DisplayName
    columnName: TenantDisplayName_s
  entityType: Account
- fieldMappings:
  - identifier: DistinguishedName
    columnName: Group_s
  entityType: SecurityGroup
- fieldMappings:
  - identifier: ResourceId
    columnName: SourceSystem
  entityType: AzureResource
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/AppsNoClientCredentials.yaml
status: Available
id: 56910d7b-aae7-452c-a3ed-89f72ef59234
tactics:
- Impact

ARM