Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Zero Networks Segment - Rare JIT Rule Creation

Back
Id58688058-68b2-4b39-8009-ac6dc4d81ea1
RulenameZero Networks Segment - Rare JIT Rule Creation
DescriptionIdentifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days.

JIT Rule creations are indicated by the Activity Type Id 20
SeverityMedium
TacticsLateralMovement
TechniquesT1021
Required data connectorsZeroNetworksSegmentAuditFunction
ZeroNetworksSegmentAuditNativePoller
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ZeroNetworks/Analytic Rules/ZNSegmentRareJITRuleCreation.yaml
Version1.0.2
Arm template58688058-68b2-4b39-8009-ac6dc4d81ea1.json
Deploy To Azure
let starttime = 14d;
let endtime = 1d;
ZNSegmentAudit
| where TimeGenerated >= ago(endtime)
| where AuditTypeId == 20
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()
by PerformedByName, tostring(DestinationEntityName)
  // use left anti to exclude anything from the previous 14 days that is not rare
| join kind=leftanti (
ZNSegmentAudit
| where TimeGenerated between (ago(starttime) .. ago(endtime))
| where AuditTypeId == 20
| summarize by tostring(DestinationEntityName)
) on DestinationEntityName
| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)
by PerformedByName, DestinationEntityName
| extend TimeGenerated = StartTime
triggerOperator: gt
version: 1.0.2
query: |
  let starttime = 14d;
  let endtime = 1d;
  ZNSegmentAudit
  | where TimeGenerated >= ago(endtime)
  | where AuditTypeId == 20
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()
  by PerformedByName, tostring(DestinationEntityName)
    // use left anti to exclude anything from the previous 14 days that is not rare
  | join kind=leftanti (
  ZNSegmentAudit
  | where TimeGenerated between (ago(starttime) .. ago(endtime))
  | where AuditTypeId == 20
  | summarize by tostring(DestinationEntityName)
  ) on DestinationEntityName
  | summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)
  by PerformedByName, DestinationEntityName
  | extend TimeGenerated = StartTime  
status: Available
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: PerformedByName
    identifier: Name
- entityType: Host
  fieldMappings:
  - columnName: DestinationEntityName
    identifier: HostName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ZeroNetworks/Analytic Rules/ZNSegmentRareJITRuleCreation.yaml
queryFrequency: 1d
requiredDataConnectors:
- connectorId: ZeroNetworksSegmentAuditFunction
  dataTypes:
  - ZNSegmentAudit_CL
- connectorId: ZeroNetworksSegmentAuditNativePoller
  dataTypes:
  - ZNSegmentAuditNativePoller_CL
name: Zero Networks Segment - Rare JIT Rule Creation
queryPeriod: 14d
severity: Medium
kind: Scheduled
tactics:
- LateralMovement
id: 58688058-68b2-4b39-8009-ac6dc4d81ea1
description: |
  'Identifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days.
  JIT Rule creations are indicated by the Activity Type Id 20'  
relevantTechniques:
- T1021
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/58688058-68b2-4b39-8009-ac6dc4d81ea1')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/58688058-68b2-4b39-8009-ac6dc4d81ea1')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Zero Networks Segment - Rare JIT Rule Creation",
        "description": "'Identifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days.\nJIT Rule creations are indicated by the Activity Type Id 20'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let starttime = 14d;\nlet endtime = 1d;\nZNSegmentAudit\n| where TimeGenerated >= ago(endtime)\n| where AuditTypeId == 20\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\nby PerformedByName, tostring(DestinationEntityName)\n  // use left anti to exclude anything from the previous 14 days that is not rare\n| join kind=leftanti (\nZNSegmentAudit\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where AuditTypeId == 20\n| summarize by tostring(DestinationEntityName)\n) on DestinationEntityName\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\nby PerformedByName, DestinationEntityName\n| extend TimeGenerated = StartTime\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "techniques": [
          "T1021"
        ],
        "alertRuleTemplateName": "58688058-68b2-4b39-8009-ac6dc4d81ea1",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "PerformedByName",
                "identifier": "Name"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "DestinationEntityName",
                "identifier": "HostName"
              }
            ],
            "entityType": "Host"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ZeroNetworks/Analytic Rules/ZNSegmentRareJITRuleCreation.yaml",
        "status": "Available",
        "templateVersion": "1.0.2"
      }
    }
  ]
}