Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Certified Pre-Owned - backup of CA private key - rule 2

Certified Pre-Owned - backup of CA private key - rule 2

Back
Id88f8fbc0-345d-458e-85f6-f73921d5ef50
RulenameCertified Pre-Owned - backup of CA private key - rule 2
DescriptionThis query identifies someone that performs a backup of they CA key.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1036
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertifiedPreOwned-backup-key-2.yaml
Version1.0.1
Arm template88f8fbc0-345d-458e-85f6-f73921d5ef50.json
Deploy To Azure
SecurityEvent
// Fill in the machine name of your CA.
| where EventID == 5059 and Computer contains "<YOUR CA MACHINE NAME>"
| where EventData contains "%%2499" and EventData contains "%%2464"
| extend EventData=parse_xml(EventData)
| mv-apply d=EventData.EventData.Data on
(
    where d["@Name"]=="KeyName"
    | project KeyName=tostring(d["#text"])
)
| mv-apply d=EventData.EventData.Data on
(
    where d["@Name"]=="SubjectUserName"
    | project SubjectUserName=tostring(d["#text"])
)
| parse Account with "<YOUR DOMAIN NAME>\\" CleanAccount "$"
| where not(Computer startswith CleanAccount)

description: |
    This query identifies someone that performs a backup of they CA key.
kind: Scheduled
tactics:
- DefenseEvasion
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertifiedPreOwned-backup-key-2.yaml
severity: Medium
name: Certified Pre-Owned - backup of CA private key - rule 2
triggerThreshold: 0
queryPeriod: 1h
query: |
  SecurityEvent
  // Fill in the machine name of your CA.
  | where EventID == 5059 and Computer contains "<YOUR CA MACHINE NAME>"
  | where EventData contains "%%2499" and EventData contains "%%2464"
  | extend EventData=parse_xml(EventData)
  | mv-apply d=EventData.EventData.Data on
  (
      where d["@Name"]=="KeyName"
      | project KeyName=tostring(d["#text"])
  )
  | mv-apply d=EventData.EventData.Data on
  (
      where d["@Name"]=="SubjectUserName"
      | project SubjectUserName=tostring(d["#text"])
  )
  | parse Account with "<YOUR DOMAIN NAME>\\" CleanAccount "$"
  | where not(Computer startswith CleanAccount)  
relevantTechniques:
- T1036
id: 88f8fbc0-345d-458e-85f6-f73921d5ef50
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.1
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: FullName