Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Zscaler - Unexpected event count of rejects by policy

Back
Id593e3e2a-43ce-11ec-81d3-0242ac130003
RulenameZscaler - Unexpected event count of rejects by policy
DescriptionDetects unexpected event count of rejects by policy.
SeverityHigh
TacticsInitialAccess
TechniquesT1078
T1133
Required data connectorsZscalerPrivateAccess
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountEventResult.yaml
Version1.0.0
Arm template593e3e2a-43ce-11ec-81d3-0242ac130003.json
Deploy To Azure
let threshold = 1000;
ZPAEvent
| where EventResult has "REJECTED_BY_POLICY"
| summarize rejected = count() by EventResult, DstUserName
| where rejected > threshold
| extend AccountCustomEntity = DstUserName
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - ZPAEvent
  connectorId: ZscalerPrivateAccess
queryPeriod: 1h
status: Available
kind: Scheduled
description: |
    'Detects unexpected event count of rejects by policy.'
query: |
  let threshold = 1000;
  ZPAEvent
  | where EventResult has "REJECTED_BY_POLICY"
  | summarize rejected = count() by EventResult, DstUserName
  | where rejected > threshold
  | extend AccountCustomEntity = DstUserName  
relevantTechniques:
- T1078
- T1133
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountEventResult.yaml
severity: High
triggerThreshold: 0
name: Zscaler - Unexpected event count of rejects by policy
tactics:
- InitialAccess
version: 1.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
id: 593e3e2a-43ce-11ec-81d3-0242ac130003
queryFrequency: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/593e3e2a-43ce-11ec-81d3-0242ac130003')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/593e3e2a-43ce-11ec-81d3-0242ac130003')]",
      "properties": {
        "alertRuleTemplateName": "593e3e2a-43ce-11ec-81d3-0242ac130003",
        "customDetails": null,
        "description": "'Detects unexpected event count of rejects by policy.'\n",
        "displayName": "Zscaler - Unexpected event count of rejects by policy",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountEventResult.yaml",
        "query": "let threshold = 1000;\nZPAEvent\n| where EventResult has \"REJECTED_BY_POLICY\"\n| summarize rejected = count() by EventResult, DstUserName\n| where rejected > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1133"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}