Lookout - Critical Audit and Policy Changes v2
| Id | 6b2d4e8a-5f7c-4b9e-8a1d-3c5e7a9b2f4d |
| Rulename | Lookout - Critical Audit and Policy Changes (v2) |
| Description | Monitors critical audit events and policy changes from Lookout Mobile Risk API v2. Detects unauthorized configuration changes, policy modifications, security setting adjustments, and administrative actions that could impact mobile security posture. Provides comprehensive audit trail for compliance and security governance. |
| Severity | Medium |
| Tactics | DefenseEvasion Persistence PrivilegeEscalation Impact |
| Techniques | T1629 T1626 |
| Required data connectors | LookoutAPI |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutAuditEventV2.yaml |
| Version | 2.0.3 |
| Arm template | 6b2d4e8a-5f7c-4b9e-8a1d-3c5e7a9b2f4d.json |
LookoutEvents
| where EventType == "AUDIT"
| where AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE", "USER_MANAGEMENT", "CONFIGURATION_CHANGE")
| extend
ChangeImpact = case(
AuditType == "POLICY_CHANGE", "High",
AuditType == "SECURITY_SETTING_CHANGE", "High",
AuditType == "USER_MANAGEMENT", "Medium",
AuditType == "CONFIGURATION_CHANGE", "Medium",
"Low"
),
RiskLevel = case(
ActorType == "SYSTEM" and AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE"), "Automated Change",
ActorType == "ADMIN_USER" and AuditType == "POLICY_CHANGE", "Administrative Change",
ActorType == "USER" and AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE"), "Unauthorized Change",
ActorType == "UNKNOWN", "Suspicious Change",
"Standard Change"
)
| extend SecurityImplications = case(
AuditAttributeChanges has "threat_response_level" and AuditAttributeChanges has "LOW", "Threat Response Weakened",
AuditAttributeChanges has "auto_quarantine_enabled" and AuditAttributeChanges has "false", "Auto-Quarantine Disabled",
AuditAttributeChanges has "compliance_enforcement" and AuditAttributeChanges has "false", "Compliance Enforcement Disabled",
AuditAttributeChanges has "device_wipe_enabled" and AuditAttributeChanges has "false", "Device Wipe Disabled",
AuditAttributeChanges has "admin" or AuditAttributeChanges has "privilege", "Privilege Changes",
"Configuration Update"
)
| extend ComplianceRisk = case(
SecurityImplications in ("Threat Response Weakened", "Auto-Quarantine Disabled", "Compliance Enforcement Disabled"), "Critical",
SecurityImplications == "Device Wipe Disabled", "High",
SecurityImplications == "Privilege Changes", "High",
RiskLevel == "Unauthorized Change", "High",
RiskLevel == "Suspicious Change", "Medium",
"Low"
)
| extend ChangeDetails = case(
isnotempty(AuditAttributeChanges), strcat("Attribute changes: ", tostring(AuditAttributeChanges)),
isnotempty(TargetGuid), strcat("Target: ", TargetType, " (", TargetGuid, ")"),
"General audit event"
)
| project
TimeGenerated,
EventId,
AuditType,
ChangeImpact,
RiskLevel,
SecurityImplications,
ComplianceRisk,
ChangeDetails,
AuditAttributeChanges,
ActorType,
ActorGuid,
TargetType,
TargetGuid,
TargetEmailAddress,
ChangeType,
EnterpriseGuid
description: |
'Monitors critical audit events and policy changes from Lookout Mobile Risk API v2. Detects unauthorized configuration changes, policy modifications, security setting adjustments, and administrative actions that could impact mobile security posture. Provides comprehensive audit trail for compliance and security governance.'
queryPeriod: 1h
severity: Medium
triggerThreshold: 0
queryFrequency: 15m
tactics:
- DefenseEvasion
- Persistence
- PrivilegeEscalation
- Impact
alertDetailsOverride:
alertTacticsColumnName: SecurityImplications
alertDescriptionFormat: '{{AuditType}} by {{ActorType}} with {{ComplianceRisk}} risk'
alertDisplayNameFormat: 'Critical Audit Event: {{SecurityImplications}} by {{ActorType}}'
alertSeverityColumnName: ComplianceRisk
version: 2.0.3
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutAuditEventV2.yaml
query: |
LookoutEvents
| where EventType == "AUDIT"
| where AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE", "USER_MANAGEMENT", "CONFIGURATION_CHANGE")
| extend
ChangeImpact = case(
AuditType == "POLICY_CHANGE", "High",
AuditType == "SECURITY_SETTING_CHANGE", "High",
AuditType == "USER_MANAGEMENT", "Medium",
AuditType == "CONFIGURATION_CHANGE", "Medium",
"Low"
),
RiskLevel = case(
ActorType == "SYSTEM" and AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE"), "Automated Change",
ActorType == "ADMIN_USER" and AuditType == "POLICY_CHANGE", "Administrative Change",
ActorType == "USER" and AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE"), "Unauthorized Change",
ActorType == "UNKNOWN", "Suspicious Change",
"Standard Change"
)
| extend SecurityImplications = case(
AuditAttributeChanges has "threat_response_level" and AuditAttributeChanges has "LOW", "Threat Response Weakened",
AuditAttributeChanges has "auto_quarantine_enabled" and AuditAttributeChanges has "false", "Auto-Quarantine Disabled",
AuditAttributeChanges has "compliance_enforcement" and AuditAttributeChanges has "false", "Compliance Enforcement Disabled",
AuditAttributeChanges has "device_wipe_enabled" and AuditAttributeChanges has "false", "Device Wipe Disabled",
AuditAttributeChanges has "admin" or AuditAttributeChanges has "privilege", "Privilege Changes",
"Configuration Update"
)
| extend ComplianceRisk = case(
SecurityImplications in ("Threat Response Weakened", "Auto-Quarantine Disabled", "Compliance Enforcement Disabled"), "Critical",
SecurityImplications == "Device Wipe Disabled", "High",
SecurityImplications == "Privilege Changes", "High",
RiskLevel == "Unauthorized Change", "High",
RiskLevel == "Suspicious Change", "Medium",
"Low"
)
| extend ChangeDetails = case(
isnotempty(AuditAttributeChanges), strcat("Attribute changes: ", tostring(AuditAttributeChanges)),
isnotempty(TargetGuid), strcat("Target: ", TargetType, " (", TargetGuid, ")"),
"General audit event"
)
| project
TimeGenerated,
EventId,
AuditType,
ChangeImpact,
RiskLevel,
SecurityImplications,
ComplianceRisk,
ChangeDetails,
AuditAttributeChanges,
ActorType,
ActorGuid,
TargetType,
TargetGuid,
TargetEmailAddress,
ChangeType,
EnterpriseGuid
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorGuid
- identifier: Name
columnName: TargetEmailAddress
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: TargetGuid
triggerOperator: gt
name: Lookout - Critical Audit and Policy Changes (v2)
requiredDataConnectors:
- connectorId: LookoutAPI
dataTypes:
- LookoutEvents
relevantTechniques:
- T1629
- T1626
suppressionEnabled: false
customDetails:
RiskLevel: RiskLevel
ActorType: ActorType
SecurityImpact: SecurityImplications
ChangeType: ChangeType
AuditType: AuditType
ComplianceRisk: ComplianceRisk
ChangeImpact: ChangeImpact
TargetType: TargetType
eventGroupingSettings:
aggregationKind: AlertPerResult
suppressionDuration: PT30M
kind: Scheduled
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: P1D
groupByAlertDetails:
- AuditType
- ActorGuid
enabled: true
matchingMethod: Selected
groupByCustomDetails:
- SecurityImpact
- ComplianceRisk
- ActorType
groupByEntities:
- Account
reopenClosedIncident: false
status: Available
id: 6b2d4e8a-5f7c-4b9e-8a1d-3c5e7a9b2f4d