EatonForeseer - Unauthorized Logins
| Id | 5a7fccb8-3ed0-44f2-8477-540af3ef4d92 |
| Rulename | EatonForeseer - Unauthorized Logins |
| Description | Detects Unauthorized Logins into Eaton Foreseer |
| Severity | High |
| Tactics | InitialAccess |
| Techniques | T1078 |
| Required data connectors | WindowsSecurityEvents |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/EatonForeseer/Analytic Rules/EatonUnautorizedLogins.yaml |
| Version | 1.0.0 |
| Arm template | 5a7fccb8-3ed0-44f2-8477-540af3ef4d92.json |
SecurityEvent
// Look for all events relating to user logins
| where EventID in (4624,4625,4648,4675,4634,4647)
| where AccountType == "User"
// Filter for data present
| where isnotempty(TargetUserName)
// Look for all events that relate to the Eaton Foreseer application
| where ProcessName has "Foreseer"
// Ignore known user accounts (please edit based on your allowed users)
| where TargetUserName !in ("janedoe", "johndoe")
// De-duplicate multiple entries for the same user accessing a particular device
| summarize TimeGenerated=arg_min(TimeGenerated, *) by TargetUserName, Computer
| project
TimeGenerated,
IPCustomEntity = IpAddress,
HostCustomEntity = Computer,
UserEntity = TargetUserName,
Process,
ProcessName
relevantTechniques:
- T1078
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/EatonForeseer/Analytic Rules/EatonUnautorizedLogins.yaml
kind: Scheduled
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- SecurityEvent
connectorId: WindowsSecurityEvents
severity: High
entityMappings:
- fieldMappings:
- identifier: Address
columnName: IPCustomEntity
entityType: IP
- fieldMappings:
- identifier: Name
columnName: UserEntity
entityType: Account
- fieldMappings:
- identifier: HostName
columnName: HostCustomEntity
entityType: Host
- fieldMappings:
- identifier: CommandLine
columnName: Process
entityType: Process
version: 1.0.0
tactics:
- InitialAccess
triggerThreshold: 0
queryPeriod: 15m
queryFrequency: 15m
id: 5a7fccb8-3ed0-44f2-8477-540af3ef4d92
name: EatonForeseer - Unauthorized Logins
status: Available
description: |
'Detects Unauthorized Logins into Eaton Foreseer'
query: |
SecurityEvent
// Look for all events relating to user logins
| where EventID in (4624,4625,4648,4675,4634,4647)
| where AccountType == "User"
// Filter for data present
| where isnotempty(TargetUserName)
// Look for all events that relate to the Eaton Foreseer application
| where ProcessName has "Foreseer"
// Ignore known user accounts (please edit based on your allowed users)
| where TargetUserName !in ("janedoe", "johndoe")
// De-duplicate multiple entries for the same user accessing a particular device
| summarize TimeGenerated=arg_min(TimeGenerated, *) by TargetUserName, Computer
| project
TimeGenerated,
IPCustomEntity = IpAddress,
HostCustomEntity = Computer,
UserEntity = TargetUserName,
Process,
ProcessName
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5a7fccb8-3ed0-44f2-8477-540af3ef4d92')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5a7fccb8-3ed0-44f2-8477-540af3ef4d92')]",
"properties": {
"alertRuleTemplateName": "5a7fccb8-3ed0-44f2-8477-540af3ef4d92",
"customDetails": null,
"description": "'Detects Unauthorized Logins into Eaton Foreseer'\n",
"displayName": "EatonForeseer - Unauthorized Logins",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "UserEntity",
"identifier": "Name"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "HostName"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "Process",
"identifier": "CommandLine"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/EatonForeseer/Analytic Rules/EatonUnautorizedLogins.yaml",
"query": "SecurityEvent\n// Look for all events relating to user logins\n| where EventID in (4624,4625,4648,4675,4634,4647)\n| where AccountType == \"User\"\n// Filter for data present\n| where isnotempty(TargetUserName)\n// Look for all events that relate to the Eaton Foreseer application\n| where ProcessName has \"Foreseer\"\n// Ignore known user accounts (please edit based on your allowed users)\n| where TargetUserName !in (\"janedoe\", \"johndoe\")\n// De-duplicate multiple entries for the same user accessing a particular device\n| summarize TimeGenerated=arg_min(TimeGenerated, *) by TargetUserName, Computer\n| project\n TimeGenerated,\n IPCustomEntity = IpAddress,\n HostCustomEntity = Computer,\n UserEntity = TargetUserName,\n Process,\n ProcessName\n",
"queryFrequency": "PT15M",
"queryPeriod": "PT15M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}