Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Lookout - High Severity Mobile Threats Detected v2

Lookout - High Severity Mobile Threats Detected v2

Back
Id8b4a5c7e-2f91-4d8a-9e3b-1c6f8a2d4e9f
RulenameLookout - High Severity Mobile Threats Detected (v2)
DescriptionDetects high severity mobile threats from Lookout Mobile Risk API v2 with enhanced threat intelligence and device context. This rule leverages the comprehensive v2 field set to provide detailed threat classification, risk assessment, and device compliance status for improved security monitoring.
SeverityHigh
TacticsDiscovery
DefenseEvasion
Persistence
PrivilegeEscalation
TechniquesT1424
T1418
T1629
T1630
Required data connectorsLookoutAPI
KindScheduled
Query frequency5m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutThreatEventV2.yaml
Version2.0.3
Arm template8b4a5c7e-2f91-4d8a-9e3b-1c6f8a2d4e9f.json
Deploy To Azure
LookoutEvents
| where EventType == "THREAT"
| where ThreatSeverity in ("CRITICAL", "HIGH")
| where ThreatAction == "DETECTED"
| where ThreatStatus in ("OPEN", "ACTIVE")
| extend 
    ThreatRiskScore = case(
        ThreatSeverity == "CRITICAL", 10,
        ThreatSeverity == "HIGH", 8,
        ThreatSeverity == "MEDIUM", 5,
        ThreatSeverity == "LOW", 2,
        1
    ),
    DeviceRiskLevel = case(
        DeviceSecurityStatus == "THREATS_HIGH", "High",
        DeviceSecurityStatus == "THREATS_MEDIUM", "Medium",
        DeviceSecurityStatus == "THREATS_LOW", "Low",
        "Unknown"
    ),
    ThreatCategory = case(
        ThreatClassifications has "MALWARE", "Malware",
        ThreatClassifications has "PHISHING", "Phishing", 
        ThreatClassifications has "SPYWARE", "Spyware",
        ThreatClassifications has "TROJAN", "Trojan",
        ThreatClassifications has "ADWARE", "Adware",
        "Other"
    )
| extend ComplianceImpact = case(
    DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 8, "Critical",
    DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 5, "High", 
    DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 8, "High",
    DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 5, "Medium",
    "Low"
)
| project
    TimeGenerated,
    EventId,
    ThreatId,
    ThreatType,
    ThreatSeverity,
    ThreatRiskScore,
    ThreatCategory,
    ThreatClassifications,
    ThreatStatus,
    ThreatDescription,
    ThreatApplicationName,
    ThreatPackageName,
    ThreatPackageSha,
    DeviceGuid,
    DevicePlatform,
    DeviceOSVersion,
    DeviceManufacturer,
    DeviceModel,
    DeviceEmailAddress,
    DeviceSecurityStatus,
    DeviceRiskLevel,
    DeviceComplianceStatus,
    ComplianceImpact,
    ClientLookoutSDKVersion,
    MDMConnectorId,
    MDMExternalId,
    TargetEmailAddress,
    TargetPlatform,
    ActorType,
    ActorGuid

status: Available
kind: Scheduled
requiredDataConnectors:
- connectorId: LookoutAPI
  dataTypes:
  - LookoutEvents
triggerThreshold: 0
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: P1D
    enabled: true
    groupByAlertDetails:
    - ThreatType
    - DeviceGuid
    groupByEntities:
    - Account
    - Host
    matchingMethod: Selected
    groupByCustomDetails:
    - ThreatCategory
    - DevicePlatform
    reopenClosedIncident: false
  createIncident: true
suppressionDuration: PT1H
suppressionEnabled: false
version: 2.0.3
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: DeviceEmailAddress
  - identifier: Name
    columnName: TargetEmailAddress
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DeviceGuid
  - identifier: OSFamily
    columnName: DevicePlatform
  - identifier: OSVersion
    columnName: DeviceOSVersion
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: ThreatApplicationName
  - identifier: Value
    columnName: ThreatPackageSha
relevantTechniques:
- T1424
- T1418
- T1629
- T1630
name: Lookout - High Severity Mobile Threats Detected (v2)
alertDetailsOverride:
  alertTacticsColumnName: ThreatCategory
  alertDescriptionFormat: '{{ThreatSeverity}} {{ThreatCategory}} threat on {{DevicePlatform}}'
  alertSeverityColumnName: ThreatSeverity
  alertDisplayNameFormat: 'High Severity Mobile Threat: {{ThreatType}} on {{DevicePlatform}} Device'
customDetails:
  ThreatType: ThreatType
  DeviceSecStatus: DeviceSecurityStatus
  ThreatStatus: ThreatStatus
  ThreatClasses: ThreatClassifications
  DeviceRiskLevel: DeviceRiskLevel
  ThreatCategory: ThreatCategory
  DevicePlatform: DevicePlatform
  ComplianceImpact: ComplianceImpact
  MDMConnectorId: MDMConnectorId
  ThreatSeverity: ThreatSeverity
  ThreatRiskScore: ThreatRiskScore
tactics:
- Discovery
- DefenseEvasion
- Persistence
- PrivilegeEscalation
triggerOperator: gt
description: |
    'Detects high severity mobile threats from Lookout Mobile Risk API v2 with enhanced threat intelligence and device context. This rule leverages the comprehensive v2 field set to provide detailed threat classification, risk assessment, and device compliance status for improved security monitoring.'
queryPeriod: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutThreatEventV2.yaml
query: |
  LookoutEvents
  | where EventType == "THREAT"
  | where ThreatSeverity in ("CRITICAL", "HIGH")
  | where ThreatAction == "DETECTED"
  | where ThreatStatus in ("OPEN", "ACTIVE")
  | extend 
      ThreatRiskScore = case(
          ThreatSeverity == "CRITICAL", 10,
          ThreatSeverity == "HIGH", 8,
          ThreatSeverity == "MEDIUM", 5,
          ThreatSeverity == "LOW", 2,
          1
      ),
      DeviceRiskLevel = case(
          DeviceSecurityStatus == "THREATS_HIGH", "High",
          DeviceSecurityStatus == "THREATS_MEDIUM", "Medium",
          DeviceSecurityStatus == "THREATS_LOW", "Low",
          "Unknown"
      ),
      ThreatCategory = case(
          ThreatClassifications has "MALWARE", "Malware",
          ThreatClassifications has "PHISHING", "Phishing", 
          ThreatClassifications has "SPYWARE", "Spyware",
          ThreatClassifications has "TROJAN", "Trojan",
          ThreatClassifications has "ADWARE", "Adware",
          "Other"
      )
  | extend ComplianceImpact = case(
      DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 8, "Critical",
      DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 5, "High", 
      DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 8, "High",
      DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 5, "Medium",
      "Low"
  )
  | project
      TimeGenerated,
      EventId,
      ThreatId,
      ThreatType,
      ThreatSeverity,
      ThreatRiskScore,
      ThreatCategory,
      ThreatClassifications,
      ThreatStatus,
      ThreatDescription,
      ThreatApplicationName,
      ThreatPackageName,
      ThreatPackageSha,
      DeviceGuid,
      DevicePlatform,
      DeviceOSVersion,
      DeviceManufacturer,
      DeviceModel,
      DeviceEmailAddress,
      DeviceSecurityStatus,
      DeviceRiskLevel,
      DeviceComplianceStatus,
      ComplianceImpact,
      ClientLookoutSDKVersion,
      MDMConnectorId,
      MDMExternalId,
      TargetEmailAddress,
      TargetPlatform,
      ActorType,
      ActorGuid  
queryFrequency: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
severity: High
id: 8b4a5c7e-2f91-4d8a-9e3b-1c6f8a2d4e9f