Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Lookout - High Severity Mobile Threats Detected v2

Lookout - High Severity Mobile Threats Detected v2

Back
Id8b4a5c7e-2f91-4d8a-9e3b-1c6f8a2d4e9f
RulenameLookout - High Severity Mobile Threats Detected (v2)
DescriptionDetects high severity mobile threats from Lookout Mobile Risk API v2 with enhanced threat intelligence and device context. This rule leverages the comprehensive v2 field set to provide detailed threat classification, risk assessment, and device compliance status for improved security monitoring.
SeverityHigh
TacticsDiscovery
DefenseEvasion
Persistence
PrivilegeEscalation
TechniquesT1424
T1418
T1629
T1630
Required data connectorsLookoutAPI
KindScheduled
Query frequency5m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutThreatEventV2.yaml
Version2.0.3
Arm template8b4a5c7e-2f91-4d8a-9e3b-1c6f8a2d4e9f.json
Deploy To Azure
LookoutEvents
| where EventType == "THREAT"
| where ThreatSeverity in ("CRITICAL", "HIGH")
| where ThreatAction == "DETECTED"
| where ThreatStatus in ("OPEN", "ACTIVE")
| extend 
    ThreatRiskScore = case(
        ThreatSeverity == "CRITICAL", 10,
        ThreatSeverity == "HIGH", 8,
        ThreatSeverity == "MEDIUM", 5,
        ThreatSeverity == "LOW", 2,
        1
    ),
    DeviceRiskLevel = case(
        DeviceSecurityStatus == "THREATS_HIGH", "High",
        DeviceSecurityStatus == "THREATS_MEDIUM", "Medium",
        DeviceSecurityStatus == "THREATS_LOW", "Low",
        "Unknown"
    ),
    ThreatCategory = case(
        ThreatClassifications has "MALWARE", "Malware",
        ThreatClassifications has "PHISHING", "Phishing", 
        ThreatClassifications has "SPYWARE", "Spyware",
        ThreatClassifications has "TROJAN", "Trojan",
        ThreatClassifications has "ADWARE", "Adware",
        "Other"
    )
| extend ComplianceImpact = case(
    DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 8, "Critical",
    DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 5, "High", 
    DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 8, "High",
    DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 5, "Medium",
    "Low"
)
| project
    TimeGenerated,
    EventId,
    ThreatId,
    ThreatType,
    ThreatSeverity,
    ThreatRiskScore,
    ThreatCategory,
    ThreatClassifications,
    ThreatStatus,
    ThreatDescription,
    ThreatApplicationName,
    ThreatPackageName,
    ThreatPackageSha,
    DeviceGuid,
    DevicePlatform,
    DeviceOSVersion,
    DeviceManufacturer,
    DeviceModel,
    DeviceEmailAddress,
    DeviceSecurityStatus,
    DeviceRiskLevel,
    DeviceComplianceStatus,
    ComplianceImpact,
    ClientLookoutSDKVersion,
    MDMConnectorId,
    MDMExternalId,
    TargetEmailAddress,
    TargetPlatform,
    ActorType,
    ActorGuid

version: 2.0.3
queryFrequency: 5m
kind: Scheduled
suppressionDuration: PT1H
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1424
- T1418
- T1629
- T1630
alertDetailsOverride:
  alertDisplayNameFormat: 'High Severity Mobile Threat: {{ThreatType}} on {{DevicePlatform}} Device'
  alertDescriptionFormat: '{{ThreatSeverity}} {{ThreatCategory}} threat on {{DevicePlatform}}'
  alertSeverityColumnName: ThreatSeverity
  alertTacticsColumnName: ThreatCategory
triggerOperator: gt
customDetails:
  ComplianceImpact: ComplianceImpact
  DeviceSecStatus: DeviceSecurityStatus
  ThreatType: ThreatType
  ThreatCategory: ThreatCategory
  ThreatSeverity: ThreatSeverity
  DeviceRiskLevel: DeviceRiskLevel
  ThreatClasses: ThreatClassifications
  DevicePlatform: DevicePlatform
  MDMConnectorId: MDMConnectorId
  ThreatRiskScore: ThreatRiskScore
  ThreatStatus: ThreatStatus
status: Available
requiredDataConnectors:
- connectorId: LookoutAPI
  dataTypes:
  - LookoutEvents
id: 8b4a5c7e-2f91-4d8a-9e3b-1c6f8a2d4e9f
name: Lookout - High Severity Mobile Threats Detected (v2)
query: |
  LookoutEvents
  | where EventType == "THREAT"
  | where ThreatSeverity in ("CRITICAL", "HIGH")
  | where ThreatAction == "DETECTED"
  | where ThreatStatus in ("OPEN", "ACTIVE")
  | extend 
      ThreatRiskScore = case(
          ThreatSeverity == "CRITICAL", 10,
          ThreatSeverity == "HIGH", 8,
          ThreatSeverity == "MEDIUM", 5,
          ThreatSeverity == "LOW", 2,
          1
      ),
      DeviceRiskLevel = case(
          DeviceSecurityStatus == "THREATS_HIGH", "High",
          DeviceSecurityStatus == "THREATS_MEDIUM", "Medium",
          DeviceSecurityStatus == "THREATS_LOW", "Low",
          "Unknown"
      ),
      ThreatCategory = case(
          ThreatClassifications has "MALWARE", "Malware",
          ThreatClassifications has "PHISHING", "Phishing", 
          ThreatClassifications has "SPYWARE", "Spyware",
          ThreatClassifications has "TROJAN", "Trojan",
          ThreatClassifications has "ADWARE", "Adware",
          "Other"
      )
  | extend ComplianceImpact = case(
      DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 8, "Critical",
      DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 5, "High", 
      DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 8, "High",
      DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 5, "Medium",
      "Low"
  )
  | project
      TimeGenerated,
      EventId,
      ThreatId,
      ThreatType,
      ThreatSeverity,
      ThreatRiskScore,
      ThreatCategory,
      ThreatClassifications,
      ThreatStatus,
      ThreatDescription,
      ThreatApplicationName,
      ThreatPackageName,
      ThreatPackageSha,
      DeviceGuid,
      DevicePlatform,
      DeviceOSVersion,
      DeviceManufacturer,
      DeviceModel,
      DeviceEmailAddress,
      DeviceSecurityStatus,
      DeviceRiskLevel,
      DeviceComplianceStatus,
      ComplianceImpact,
      ClientLookoutSDKVersion,
      MDMConnectorId,
      MDMExternalId,
      TargetEmailAddress,
      TargetPlatform,
      ActorType,
      ActorGuid  
queryPeriod: 15m
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutThreatEventV2.yaml
triggerThreshold: 0
description: |
    'Detects high severity mobile threats from Lookout Mobile Risk API v2 with enhanced threat intelligence and device context. This rule leverages the comprehensive v2 field set to provide detailed threat classification, risk assessment, and device compliance status for improved security monitoring.'
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: DeviceEmailAddress
  - identifier: Name
    columnName: TargetEmailAddress
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DeviceGuid
  - identifier: OSFamily
    columnName: DevicePlatform
  - identifier: OSVersion
    columnName: DeviceOSVersion
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: ThreatApplicationName
  - identifier: Value
    columnName: ThreatPackageSha
severity: High
tactics:
- Discovery
- DefenseEvasion
- Persistence
- PrivilegeEscalation
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: P1D
    matchingMethod: Selected
    groupByEntities:
    - Account
    - Host
    groupByCustomDetails:
    - ThreatCategory
    - DevicePlatform
    groupByAlertDetails:
    - ThreatType
    - DeviceGuid
    reopenClosedIncident: false
    enabled: true