Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CTERA Mass Access Denied Detection Analytic

CTERA Mass Access Denied Detection Analytic

Back
Id88341fc3-38e1-46db-8bb1-6c052e749991
RulenameCTERA Mass Access Denied Detection Analytic
DescriptionThis analytic rule detects and alerts when access denied operations generated by the CTERA Edge Filer goes over a predefined threshold
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsCTERA
KindScheduled
Query frequency5m
Query period5m
Trigger threshold1000
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/MassAccessDenied.yaml
Version1.0.0
Arm template88341fc3-38e1-46db-8bb1-6c052e749991.json
Deploy To Azure
Syslog
| where ProcessName == 'gw-audit'
| extend
    TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage),
    UserName = extract("user=([^|]*)", 1, SyslogMessage),
    Operation = extract("op=([^|]*)", 1, SyslogMessage),
    EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage),
    RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage),
    Share = extract("share=([^|]*)", 1, SyslogMessage),
    LocalPath = extract("path=([^|]*)", 1, SyslogMessage),
    Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage))
| where Operation in ('OpenDenied', 'createDenied', 'AclDenied', 'deleteDenied')
| summarize Count = count() by bin(Timestamp, 5m), UserName, EdgeFiler
| where Count > 1000

suppressionEnabled: false
relevantTechniques:
- T1562
entityMappings:
- fieldMappings:
  - columnName: UserName
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: EdgeFiler
    identifier: Name
  entityType: File
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
    lookbackDuration: PT5H
  createIncident: true
version: 1.0.0
triggerThreshold: 1000
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/MassAccessDenied.yaml
suppressionDuration: PT5H
description: This analytic rule detects and alerts when access denied operations generated by the CTERA Edge Filer goes over a predefined threshold
customDetails:
  RootPath: RootPath
  Share: Share
  UserName: UserName
  EdgeFiler: EdgeFiler
  TenantName: TenantName
requiredDataConnectors:
- connectorId: CTERA
  dataTypes:
  - Syslog
triggerOperator: GreaterThan
alertDetailsOverride:
  alertnameFormat: CTERA Batch Access Denied Detection
  alertDescriptionFormat: |
        Detected {{Count}} denied access attempts by user {{UserName}} on Edge Filer  {{EdgeFiler}} within 5 minutes. Please investigate unauthorized access attempts or misconfigurations.
eventGroupingSettings:
  aggregationKind: SingleAlert
id: 88341fc3-38e1-46db-8bb1-6c052e749991
queryFrequency: 5m
query: |
  Syslog
  | where ProcessName == 'gw-audit'
  | extend
      TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage),
      UserName = extract("user=([^|]*)", 1, SyslogMessage),
      Operation = extract("op=([^|]*)", 1, SyslogMessage),
      EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage),
      RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage),
      Share = extract("share=([^|]*)", 1, SyslogMessage),
      LocalPath = extract("path=([^|]*)", 1, SyslogMessage),
      Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage))
  | where Operation in ('OpenDenied', 'createDenied', 'AclDenied', 'deleteDenied')
  | summarize Count = count() by bin(Timestamp, 5m), UserName, EdgeFiler
  | where Count > 1000  
severity: High
status: Available
queryPeriod: 5m
name: CTERA Mass Access Denied Detection Analytic
tactics:
- DefenseEvasion
kind: Scheduled