Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Zscaler - Unexpected event count of rejects by policy

Back
Id593e3e2a-43ce-11ec-81d3-0242ac130003
RulenameZscaler - Unexpected event count of rejects by policy
DescriptionDetects unexpected event count of rejects by policy.
SeverityHigh
TacticsInitialAccess
TechniquesT1078
T1133
Required data connectorsCustomLogsAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountEventResult.yaml
Version1.0.2
Arm template593e3e2a-43ce-11ec-81d3-0242ac130003.json
Deploy To Azure
let threshold = 1000;
ZPAEvent
| where EventResult has "REJECTED_BY_POLICY"
| summarize rejected = count() by EventResult, DstUserName
| where rejected > threshold
| extend AccountCustomEntity = DstUserName
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
queryFrequency: 1h
name: Zscaler - Unexpected event count of rejects by policy
kind: Scheduled
tactics:
- InitialAccess
triggerThreshold: 0
query: |
  let threshold = 1000;
  ZPAEvent
  | where EventResult has "REJECTED_BY_POLICY"
  | summarize rejected = count() by EventResult, DstUserName
  | where rejected > threshold
  | extend AccountCustomEntity = DstUserName  
relevantTechniques:
- T1078
- T1133
triggerOperator: gt
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountEventResult.yaml
severity: High
status: Available
id: 593e3e2a-43ce-11ec-81d3-0242ac130003
requiredDataConnectors:
- connectorId: CustomLogsAma
  datatypes:
  - ZPA_CL
version: 1.0.2
description: |
    'Detects unexpected event count of rejects by policy.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/593e3e2a-43ce-11ec-81d3-0242ac130003')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/593e3e2a-43ce-11ec-81d3-0242ac130003')]",
      "properties": {
        "alertRuleTemplateName": "593e3e2a-43ce-11ec-81d3-0242ac130003",
        "customDetails": null,
        "description": "'Detects unexpected event count of rejects by policy.'\n",
        "displayName": "Zscaler - Unexpected event count of rejects by policy",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountEventResult.yaml",
        "query": "let threshold = 1000;\nZPAEvent\n| where EventResult has \"REJECTED_BY_POLICY\"\n| summarize rejected = count() by EventResult, DstUserName\n| where rejected > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1133"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}