Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CTERA Mass Access Denied Detection Analytic

CTERA Mass Access Denied Detection Analytic

Back
Id88341fc3-38e1-46db-8bb1-6c052e749991
RulenameCTERA Mass Access Denied Detection Analytic
DescriptionThis analytic rule detects and alerts when access denied operations generated by the CTERA Edge Filer goes over a predefined threshold
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsCTERA
KindScheduled
Query frequency5m
Query period5m
Trigger threshold1000
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/MassAccessDenied.yaml
Version1.0.0
Arm template88341fc3-38e1-46db-8bb1-6c052e749991.json
Deploy To Azure
Syslog
| where ProcessName == 'gw-audit'
| extend
    TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage),
    UserName = extract("user=([^|]*)", 1, SyslogMessage),
    Operation = extract("op=([^|]*)", 1, SyslogMessage),
    EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage),
    RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage),
    Share = extract("share=([^|]*)", 1, SyslogMessage),
    LocalPath = extract("path=([^|]*)", 1, SyslogMessage),
    Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage))
| where Operation in ('OpenDenied', 'createDenied', 'AclDenied', 'deleteDenied')
| summarize Count = count() by bin(Timestamp, 5m), UserName, EdgeFiler
| where Count > 1000

incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
id: 88341fc3-38e1-46db-8bb1-6c052e749991
tactics:
- DefenseEvasion
queryPeriod: 5m
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerThreshold: 1000
name: CTERA Mass Access Denied Detection Analytic
query: |
  Syslog
  | where ProcessName == 'gw-audit'
  | extend
      TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage),
      UserName = extract("user=([^|]*)", 1, SyslogMessage),
      Operation = extract("op=([^|]*)", 1, SyslogMessage),
      EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage),
      RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage),
      Share = extract("share=([^|]*)", 1, SyslogMessage),
      LocalPath = extract("path=([^|]*)", 1, SyslogMessage),
      Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage))
  | where Operation in ('OpenDenied', 'createDenied', 'AclDenied', 'deleteDenied')
  | summarize Count = count() by bin(Timestamp, 5m), UserName, EdgeFiler
  | where Count > 1000  
severity: High
customDetails:
  RootPath: RootPath
  EdgeFiler: EdgeFiler
  TenantName: TenantName
  Share: Share
  UserName: UserName
triggerOperator: GreaterThan
kind: Scheduled
suppressionDuration: PT5H
relevantTechniques:
- T1562
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/MassAccessDenied.yaml
suppressionEnabled: false
queryFrequency: 5m
requiredDataConnectors:
- connectorId: CTERA
  dataTypes:
  - Syslog
version: 1.0.0
description: This analytic rule detects and alerts when access denied operations generated by the CTERA Edge Filer goes over a predefined threshold
status: Available
alertDetailsOverride:
  alertnameFormat: CTERA Batch Access Denied Detection
  alertDescriptionFormat: |
        Detected {{Count}} denied access attempts by user {{UserName}} on Edge Filer  {{EdgeFiler}} within 5 minutes. Please investigate unauthorized access attempts or misconfigurations.
entityMappings:
- fieldMappings:
  - columnName: UserName
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: EdgeFiler
    identifier: Name
  entityType: File

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/88341fc3-38e1-46db-8bb1-6c052e749991')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/88341fc3-38e1-46db-8bb1-6c052e749991')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Detected {{Count}} denied access attempts by user {{UserName}} on Edge Filer  {{EdgeFiler}} within 5 minutes. Please investigate unauthorized access attempts or misconfigurations.\n",
          "alertnameFormat": "CTERA Batch Access Denied Detection"
        },
        "alertRuleTemplateName": "88341fc3-38e1-46db-8bb1-6c052e749991",
        "customDetails": {
          "EdgeFiler": "EdgeFiler",
          "RootPath": "RootPath",
          "Share": "Share",
          "TenantName": "TenantName",
          "UserName": "UserName"
        },
        "description": "This analytic rule detects and alerts when access denied operations generated by the CTERA Edge Filer goes over a predefined threshold",
        "displayName": "CTERA Mass Access Denied Detection Analytic",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "EdgeFiler",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/MassAccessDenied.yaml",
        "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend\n    TenantName = extract(\"\\\"vportal\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n    UserName = extract(\"user=([^|]*)\", 1, SyslogMessage),\n    Operation = extract(\"op=([^|]*)\", 1, SyslogMessage),\n    EdgeFiler = extract(\"\\\"client\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n    RootPath = extract(\"rootPath=([^|]*)\", 1, SyslogMessage),\n    Share = extract(\"share=([^|]*)\", 1, SyslogMessage),\n    LocalPath = extract(\"path=([^|]*)\", 1, SyslogMessage),\n    Timestamp = todatetime(extract(\"\\\"@timestamp\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage))\n| where Operation in ('OpenDenied', 'createDenied', 'AclDenied', 'deleteDenied')\n| summarize Count = count() by bin(Timestamp, 5m), UserName, EdgeFiler\n| where Count > 1000\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 1000
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}