Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Zero Networks Segment - Rare JIT Rule Creation

Back
Id58688058-68b2-4b39-8009-ac6dc4d81ea1
RulenameZero Networks Segment - Rare JIT Rule Creation
DescriptionIdentifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days.

JIT Rule creations are indicated by the Activity Type Id 20
SeverityMedium
TacticsLateralMovement
TechniquesT1021
Required data connectorsZeroNetworksSegmentAuditFunction
ZeroNetworksSegmentAuditNativePoller
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ZeroNetworks/Analytic Rules/ZNSegmentRareJITRuleCreation.yaml
Version1.0.2
Arm template58688058-68b2-4b39-8009-ac6dc4d81ea1.json
Deploy To Azure
let starttime = 14d;
let endtime = 1d;
ZNSegmentAudit
| where TimeGenerated >= ago(endtime)
| where AuditTypeId == 20
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()
by PerformedByName, tostring(DestinationEntityName)
  // use left anti to exclude anything from the previous 14 days that is not rare
| join kind=leftanti (
ZNSegmentAudit
| where TimeGenerated between (ago(starttime) .. ago(endtime))
| where AuditTypeId == 20
| summarize by tostring(DestinationEntityName)
) on DestinationEntityName
| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)
by PerformedByName, DestinationEntityName
| extend TimeGenerated = StartTime
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: PerformedByName
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DestinationEntityName
queryFrequency: 1d
name: Zero Networks Segment - Rare JIT Rule Creation
kind: Scheduled
tactics:
- LateralMovement
triggerThreshold: 0
query: |
  let starttime = 14d;
  let endtime = 1d;
  ZNSegmentAudit
  | where TimeGenerated >= ago(endtime)
  | where AuditTypeId == 20
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()
  by PerformedByName, tostring(DestinationEntityName)
    // use left anti to exclude anything from the previous 14 days that is not rare
  | join kind=leftanti (
  ZNSegmentAudit
  | where TimeGenerated between (ago(starttime) .. ago(endtime))
  | where AuditTypeId == 20
  | summarize by tostring(DestinationEntityName)
  ) on DestinationEntityName
  | summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)
  by PerformedByName, DestinationEntityName
  | extend TimeGenerated = StartTime  
relevantTechniques:
- T1021
triggerOperator: gt
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ZeroNetworks/Analytic Rules/ZNSegmentRareJITRuleCreation.yaml
severity: Medium
status: Available
id: 58688058-68b2-4b39-8009-ac6dc4d81ea1
requiredDataConnectors:
- connectorId: ZeroNetworksSegmentAuditFunction
  dataTypes:
  - ZNSegmentAudit_CL
- connectorId: ZeroNetworksSegmentAuditNativePoller
  dataTypes:
  - ZNSegmentAuditNativePoller_CL
version: 1.0.2
description: |
  'Identifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days.
  JIT Rule creations are indicated by the Activity Type Id 20'  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/58688058-68b2-4b39-8009-ac6dc4d81ea1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/58688058-68b2-4b39-8009-ac6dc4d81ea1')]",
      "properties": {
        "alertRuleTemplateName": "58688058-68b2-4b39-8009-ac6dc4d81ea1",
        "customDetails": null,
        "description": "'Identifies when a JIT Rule connection is new or rare by a given account today based on comparison with the previous 14 days.\nJIT Rule creations are indicated by the Activity Type Id 20'\n",
        "displayName": "Zero Networks Segment - Rare JIT Rule Creation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "PerformedByName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationEntityName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ZeroNetworks/Analytic Rules/ZNSegmentRareJITRuleCreation.yaml",
        "query": "let starttime = 14d;\nlet endtime = 1d;\nZNSegmentAudit\n| where TimeGenerated >= ago(endtime)\n| where AuditTypeId == 20\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\nby PerformedByName, tostring(DestinationEntityName)\n  // use left anti to exclude anything from the previous 14 days that is not rare\n| join kind=leftanti (\nZNSegmentAudit\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where AuditTypeId == 20\n| summarize by tostring(DestinationEntityName)\n) on DestinationEntityName\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\nby PerformedByName, DestinationEntityName\n| extend TimeGenerated = StartTime\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "techniques": [
          "T1021"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}