Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Zero Networks Segment - Rare JIT Rule Creation

Zero Networks Segment - Rare JIT Rule Creation

Back
Id58688058-68b2-4b39-8009-ac6dc4d81ea1
RulenameZero Networks Segment - Rare JIT Rule Creation
DescriptionIdentifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days.

JIT Rule creations are indicated by the Activity Type Id 20
SeverityMedium
TacticsLateralMovement
TechniquesT1021
Required data connectorsZeroNetworksSegmentAuditFunction
ZeroNetworksSegmentAuditNativePoller
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ZeroNetworks/Analytic Rules/ZNSegmentRareJITRuleCreation.yaml
Version1.0.2
Arm template58688058-68b2-4b39-8009-ac6dc4d81ea1.json
Deploy To Azure
let starttime = 14d;
let endtime = 1d;
ZNSegmentAudit
| where TimeGenerated >= ago(endtime)
| where AuditTypeId == 20
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()
by PerformedByName, tostring(DestinationEntityName)
  // use left anti to exclude anything from the previous 14 days that is not rare
| join kind=leftanti (
ZNSegmentAudit
| where TimeGenerated between (ago(starttime) .. ago(endtime))
| where AuditTypeId == 20
| summarize by tostring(DestinationEntityName)
) on DestinationEntityName
| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)
by PerformedByName, DestinationEntityName
| extend TimeGenerated = StartTime

id: 58688058-68b2-4b39-8009-ac6dc4d81ea1
requiredDataConnectors:
- dataTypes:
  - ZNSegmentAudit_CL
  connectorId: ZeroNetworksSegmentAuditFunction
- dataTypes:
  - ZNSegmentAuditNativePoller_CL
  connectorId: ZeroNetworksSegmentAuditNativePoller
triggerOperator: gt
description: |
  'Identifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days.
  JIT Rule creations are indicated by the Activity Type Id 20'  
entityMappings:
- fieldMappings:
  - columnName: PerformedByName
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: DestinationEntityName
    identifier: HostName
  entityType: Host
status: Available
relevantTechniques:
- T1021
queryPeriod: 14d
severity: Medium
query: |
  let starttime = 14d;
  let endtime = 1d;
  ZNSegmentAudit
  | where TimeGenerated >= ago(endtime)
  | where AuditTypeId == 20
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()
  by PerformedByName, tostring(DestinationEntityName)
    // use left anti to exclude anything from the previous 14 days that is not rare
  | join kind=leftanti (
  ZNSegmentAudit
  | where TimeGenerated between (ago(starttime) .. ago(endtime))
  | where AuditTypeId == 20
  | summarize by tostring(DestinationEntityName)
  ) on DestinationEntityName
  | summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)
  by PerformedByName, DestinationEntityName
  | extend TimeGenerated = StartTime  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ZeroNetworks/Analytic Rules/ZNSegmentRareJITRuleCreation.yaml
triggerThreshold: 0
name: Zero Networks Segment - Rare JIT Rule Creation
tactics:
- LateralMovement
queryFrequency: 1d
kind: Scheduled
version: 1.0.2