Zscaler - Unexpected event count of rejects by policy

Back


Id	593e3e2a-43ce-11ec-81d3-0242ac130003
Rulename	Zscaler - Unexpected event count of rejects by policy
Description	Detects unexpected event count of rejects by policy.
Severity	High
Tactics	InitialAccess
Techniques	T1078 T1133
Required data connectors	CustomLogsAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountEventResult.yaml
Version	1.0.2
Arm template	593e3e2a-43ce-11ec-81d3-0242ac130003.json

KQL

let threshold = 1000;
ZPAEvent
| where EventResult has "REJECTED_BY_POLICY"
| summarize rejected = count() by EventResult, DstUserName
| where rejected > threshold
| extend AccountCustomEntity = DstUserName

YAML

requiredDataConnectors:
- datatypes:
  - ZPA_CL
  connectorId: CustomLogsAma
triggerThreshold: 0
relevantTechniques:
- T1078
- T1133
queryPeriod: 1h
version: 1.0.2
id: 593e3e2a-43ce-11ec-81d3-0242ac130003
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountEventResult.yaml
query: |
  let threshold = 1000;
  ZPAEvent
  | where EventResult has "REJECTED_BY_POLICY"
  | summarize rejected = count() by EventResult, DstUserName
  | where rejected > threshold
  | extend AccountCustomEntity = DstUserName  
status: Available
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
tactics:
- InitialAccess
severity: High
name: Zscaler - Unexpected event count of rejects by policy
queryFrequency: 1h
triggerOperator: gt
kind: Scheduled
description: |
    'Detects unexpected event count of rejects by policy.'

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/593e3e2a-43ce-11ec-81d3-0242ac130003')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/593e3e2a-43ce-11ec-81d3-0242ac130003')]",
      "properties": {
        "alertRuleTemplateName": "593e3e2a-43ce-11ec-81d3-0242ac130003",
        "customDetails": null,
        "description": "'Detects unexpected event count of rejects by policy.'\n",
        "displayName": "Zscaler - Unexpected event count of rejects by policy",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountEventResult.yaml",
        "query": "let threshold = 1000;\nZPAEvent\n| where EventResult has \"REJECTED_BY_POLICY\"\n| summarize rejected = count() by EventResult, DstUserName\n| where rejected > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1133"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}