Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Zscaler - Unexpected event count of rejects by policy

Back
Id593e3e2a-43ce-11ec-81d3-0242ac130003
RulenameZscaler - Unexpected event count of rejects by policy
DescriptionDetects unexpected event count of rejects by policy.
SeverityHigh
TacticsInitialAccess
TechniquesT1078
T1133
Required data connectorsZscalerPrivateAccess
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountEventResult.yaml
Version1.0.0
Arm template593e3e2a-43ce-11ec-81d3-0242ac130003.json
Deploy To Azure
let threshold = 1000;
ZPAEvent
| where EventResult has "REJECTED_BY_POLICY"
| summarize rejected = count() by EventResult, DstUserName
| where rejected > threshold
| extend AccountCustomEntity = DstUserName
status: Available
id: 593e3e2a-43ce-11ec-81d3-0242ac130003
name: Zscaler - Unexpected event count of rejects by policy
requiredDataConnectors:
- connectorId: ZscalerPrivateAccess
  dataTypes:
  - ZPAEvent
severity: High
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountEventResult.yaml
kind: Scheduled
description: |
    'Detects unexpected event count of rejects by policy.'
relevantTechniques:
- T1078
- T1133
queryPeriod: 1h
triggerOperator: gt
queryFrequency: 1h
query: |
  let threshold = 1000;
  ZPAEvent
  | where EventResult has "REJECTED_BY_POLICY"
  | summarize rejected = count() by EventResult, DstUserName
  | where rejected > threshold
  | extend AccountCustomEntity = DstUserName  
version: 1.0.0
tactics:
- InitialAccess
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/593e3e2a-43ce-11ec-81d3-0242ac130003')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/593e3e2a-43ce-11ec-81d3-0242ac130003')]",
      "properties": {
        "alertRuleTemplateName": "593e3e2a-43ce-11ec-81d3-0242ac130003",
        "customDetails": null,
        "description": "'Detects unexpected event count of rejects by policy.'\n",
        "displayName": "Zscaler - Unexpected event count of rejects by policy",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountEventResult.yaml",
        "query": "let threshold = 1000;\nZPAEvent\n| where EventResult has \"REJECTED_BY_POLICY\"\n| summarize rejected = count() by EventResult, DstUserName\n| where rejected > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1133"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}