Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Lookout - High Severity Mobile Threats Detected v2

Lookout - High Severity Mobile Threats Detected v2

Back
Id8b4a5c7e-2f91-4d8a-9e3b-1c6f8a2d4e9f
RulenameLookout - High Severity Mobile Threats Detected (v2)
DescriptionDetects high severity mobile threats from Lookout Mobile Risk API v2 with enhanced threat intelligence and device context. This rule leverages the comprehensive v2 field set to provide detailed threat classification, risk assessment, and device compliance status for improved security monitoring.
SeverityHigh
TacticsDiscovery
DefenseEvasion
Persistence
PrivilegeEscalation
TechniquesT1424
T1418
T1629
T1630
Required data connectorsLookoutAPI
KindScheduled
Query frequency5m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutThreatEventV2.yaml
Version2.0.3
Arm template8b4a5c7e-2f91-4d8a-9e3b-1c6f8a2d4e9f.json
Deploy To Azure
LookoutEvents
| where EventType == "THREAT"
| where ThreatSeverity in ("CRITICAL", "HIGH")
| where ThreatAction == "DETECTED"
| where ThreatStatus in ("OPEN", "ACTIVE")
| extend 
    ThreatRiskScore = case(
        ThreatSeverity == "CRITICAL", 10,
        ThreatSeverity == "HIGH", 8,
        ThreatSeverity == "MEDIUM", 5,
        ThreatSeverity == "LOW", 2,
        1
    ),
    DeviceRiskLevel = case(
        DeviceSecurityStatus == "THREATS_HIGH", "High",
        DeviceSecurityStatus == "THREATS_MEDIUM", "Medium",
        DeviceSecurityStatus == "THREATS_LOW", "Low",
        "Unknown"
    ),
    ThreatCategory = case(
        ThreatClassifications has "MALWARE", "Malware",
        ThreatClassifications has "PHISHING", "Phishing", 
        ThreatClassifications has "SPYWARE", "Spyware",
        ThreatClassifications has "TROJAN", "Trojan",
        ThreatClassifications has "ADWARE", "Adware",
        "Other"
    )
| extend ComplianceImpact = case(
    DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 8, "Critical",
    DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 5, "High", 
    DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 8, "High",
    DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 5, "Medium",
    "Low"
)
| project
    TimeGenerated,
    EventId,
    ThreatId,
    ThreatType,
    ThreatSeverity,
    ThreatRiskScore,
    ThreatCategory,
    ThreatClassifications,
    ThreatStatus,
    ThreatDescription,
    ThreatApplicationName,
    ThreatPackageName,
    ThreatPackageSha,
    DeviceGuid,
    DevicePlatform,
    DeviceOSVersion,
    DeviceManufacturer,
    DeviceModel,
    DeviceEmailAddress,
    DeviceSecurityStatus,
    DeviceRiskLevel,
    DeviceComplianceStatus,
    ComplianceImpact,
    ClientLookoutSDKVersion,
    MDMConnectorId,
    MDMExternalId,
    TargetEmailAddress,
    TargetPlatform,
    ActorType,
    ActorGuid

triggerOperator: gt
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: P1D
    enabled: true
    groupByAlertDetails:
    - ThreatType
    - DeviceGuid
    reopenClosedIncident: false
    matchingMethod: Selected
    groupByCustomDetails:
    - ThreatCategory
    - DevicePlatform
    groupByEntities:
    - Account
    - Host
  createIncident: true
queryFrequency: 5m
requiredDataConnectors:
- connectorId: LookoutAPI
  dataTypes:
  - LookoutEvents
relevantTechniques:
- T1424
- T1418
- T1629
- T1630
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: DeviceEmailAddress
  - identifier: Name
    columnName: TargetEmailAddress
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DeviceGuid
  - identifier: OSFamily
    columnName: DevicePlatform
  - identifier: OSVersion
    columnName: DeviceOSVersion
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: ThreatApplicationName
  - identifier: Value
    columnName: ThreatPackageSha
query: |
  LookoutEvents
  | where EventType == "THREAT"
  | where ThreatSeverity in ("CRITICAL", "HIGH")
  | where ThreatAction == "DETECTED"
  | where ThreatStatus in ("OPEN", "ACTIVE")
  | extend 
      ThreatRiskScore = case(
          ThreatSeverity == "CRITICAL", 10,
          ThreatSeverity == "HIGH", 8,
          ThreatSeverity == "MEDIUM", 5,
          ThreatSeverity == "LOW", 2,
          1
      ),
      DeviceRiskLevel = case(
          DeviceSecurityStatus == "THREATS_HIGH", "High",
          DeviceSecurityStatus == "THREATS_MEDIUM", "Medium",
          DeviceSecurityStatus == "THREATS_LOW", "Low",
          "Unknown"
      ),
      ThreatCategory = case(
          ThreatClassifications has "MALWARE", "Malware",
          ThreatClassifications has "PHISHING", "Phishing", 
          ThreatClassifications has "SPYWARE", "Spyware",
          ThreatClassifications has "TROJAN", "Trojan",
          ThreatClassifications has "ADWARE", "Adware",
          "Other"
      )
  | extend ComplianceImpact = case(
      DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 8, "Critical",
      DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 5, "High", 
      DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 8, "High",
      DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 5, "Medium",
      "Low"
  )
  | project
      TimeGenerated,
      EventId,
      ThreatId,
      ThreatType,
      ThreatSeverity,
      ThreatRiskScore,
      ThreatCategory,
      ThreatClassifications,
      ThreatStatus,
      ThreatDescription,
      ThreatApplicationName,
      ThreatPackageName,
      ThreatPackageSha,
      DeviceGuid,
      DevicePlatform,
      DeviceOSVersion,
      DeviceManufacturer,
      DeviceModel,
      DeviceEmailAddress,
      DeviceSecurityStatus,
      DeviceRiskLevel,
      DeviceComplianceStatus,
      ComplianceImpact,
      ClientLookoutSDKVersion,
      MDMConnectorId,
      MDMExternalId,
      TargetEmailAddress,
      TargetPlatform,
      ActorType,
      ActorGuid  
triggerThreshold: 0
customDetails:
  ThreatStatus: ThreatStatus
  DeviceSecStatus: DeviceSecurityStatus
  ThreatRiskScore: ThreatRiskScore
  DevicePlatform: DevicePlatform
  ThreatType: ThreatType
  ThreatSeverity: ThreatSeverity
  DeviceRiskLevel: DeviceRiskLevel
  MDMConnectorId: MDMConnectorId
  ComplianceImpact: ComplianceImpact
  ThreatCategory: ThreatCategory
  ThreatClasses: ThreatClassifications
alertDetailsOverride:
  alertDisplayNameFormat: 'High Severity Mobile Threat: {{ThreatType}} on {{DevicePlatform}} Device'
  alertSeverityColumnName: ThreatSeverity
  alertTacticsColumnName: ThreatCategory
  alertDescriptionFormat: '{{ThreatSeverity}} {{ThreatCategory}} threat on {{DevicePlatform}}'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutThreatEventV2.yaml
suppressionEnabled: false
queryPeriod: 15m
name: Lookout - High Severity Mobile Threats Detected (v2)
status: Available
kind: Scheduled
description: |
    'Detects high severity mobile threats from Lookout Mobile Risk API v2 with enhanced threat intelligence and device context. This rule leverages the comprehensive v2 field set to provide detailed threat classification, risk assessment, and device compliance status for improved security monitoring.'
id: 8b4a5c7e-2f91-4d8a-9e3b-1c6f8a2d4e9f
version: 2.0.3
eventGroupingSettings:
  aggregationKind: AlertPerResult
tactics:
- Discovery
- DefenseEvasion
- Persistence
- PrivilegeEscalation
severity: High
suppressionDuration: PT1H