Zscaler - Unexpected event count of rejects by policy

Back


Id	593e3e2a-43ce-11ec-81d3-0242ac130003
Rulename	Zscaler - Unexpected event count of rejects by policy
Description	Detects unexpected event count of rejects by policy.
Severity	High
Tactics	InitialAccess
Techniques	T1078 T1133
Required data connectors	CustomLogsAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountEventResult.yaml
Version	1.0.2
Arm template	593e3e2a-43ce-11ec-81d3-0242ac130003.json

KQL

let threshold = 1000;
ZPAEvent
| where EventResult has "REJECTED_BY_POLICY"
| summarize rejected = count() by EventResult, DstUserName
| where rejected > threshold
| extend AccountCustomEntity = DstUserName

YAML

status: Available
triggerOperator: gt
triggerThreshold: 0
name: Zscaler - Unexpected event count of rejects by policy
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountEventResult.yaml
queryPeriod: 1h
severity: High
kind: Scheduled
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
queryFrequency: 1h
relevantTechniques:
- T1078
- T1133
requiredDataConnectors:
- datatypes:
  - ZPA_CL
  connectorId: CustomLogsAma
description: |
    'Detects unexpected event count of rejects by policy.'
tactics:
- InitialAccess
query: |
  let threshold = 1000;
  ZPAEvent
  | where EventResult has "REJECTED_BY_POLICY"
  | summarize rejected = count() by EventResult, DstUserName
  | where rejected > threshold
  | extend AccountCustomEntity = DstUserName  
id: 593e3e2a-43ce-11ec-81d3-0242ac130003
version: 1.0.2

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/593e3e2a-43ce-11ec-81d3-0242ac130003')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/593e3e2a-43ce-11ec-81d3-0242ac130003')]",
      "properties": {
        "alertRuleTemplateName": "593e3e2a-43ce-11ec-81d3-0242ac130003",
        "customDetails": null,
        "description": "'Detects unexpected event count of rejects by policy.'\n",
        "displayName": "Zscaler - Unexpected event count of rejects by policy",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountEventResult.yaml",
        "query": "let threshold = 1000;\nZPAEvent\n| where EventResult has \"REJECTED_BY_POLICY\"\n| summarize rejected = count() by EventResult, DstUserName\n| where rejected > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1133"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}