Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Lookout - High Severity Mobile Threats Detected v2

Lookout - High Severity Mobile Threats Detected v2

Back
Id8b4a5c7e-2f91-4d8a-9e3b-1c6f8a2d4e9f
RulenameLookout - High Severity Mobile Threats Detected (v2)
DescriptionDetects high severity mobile threats from Lookout Mobile Risk API v2 with enhanced threat intelligence and device context. This rule leverages the comprehensive v2 field set to provide detailed threat classification, risk assessment, and device compliance status for improved security monitoring.
SeverityHigh
TacticsDiscovery
DefenseEvasion
Persistence
PrivilegeEscalation
TechniquesT1424
T1418
T1629
T1630
Required data connectorsLookoutAPI
KindScheduled
Query frequency5m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutThreatEventV2.yaml
Version2.0.5
Arm template8b4a5c7e-2f91-4d8a-9e3b-1c6f8a2d4e9f.json
Deploy To Azure
LookoutEvents
| where EventType == "THREAT"
| where ThreatSeverity in ("CRITICAL", "HIGH")
| where ThreatStatus in ("OPEN", "ACTIVE")
| where ThreatAction == "DETECTED"
| extend
    ThreatRiskScore = case(
        ThreatSeverity == "CRITICAL", 10,
        ThreatSeverity == "HIGH", 8,
        ThreatSeverity == "MEDIUM", 5,
        ThreatSeverity == "LOW", 2,
        1
    ),
    DeviceRiskLevel = case(
        DeviceSecurityStatus == "THREATS_HIGH", "High",
        DeviceSecurityStatus == "THREATS_MEDIUM", "Medium",
        DeviceSecurityStatus == "THREATS_LOW", "Low",
        "Unknown"
    ),
    ThreatCategory = case(
        ThreatClassifications has "MALWARE", "Malware",
        ThreatClassifications has "PHISHING", "Phishing", 
        ThreatClassifications has "SPYWARE", "Spyware",
        ThreatClassifications has "TROJAN", "Trojan",
        ThreatClassifications has "ADWARE", "Adware",
        "Other"
    )
| extend ComplianceImpact = case(
    DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 8, "Critical",
    DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 5, "High", 
    DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 8, "High",
    DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 5, "Medium",
    "Low"
)
| project
    TimeGenerated,
    EventId,
    ThreatId,
    ThreatType,
    ThreatSeverity,
    ThreatRiskScore,
    ThreatCategory,
    ThreatClassifications,
    ThreatStatus,
    ThreatDescription,
    ThreatApplicationName,
    ThreatPackageName,
    ThreatPackageSha,
    DeviceGuid,
    DevicePlatform,
    DeviceOSVersion,
    DeviceManufacturer,
    DeviceModel,
    DeviceEmailAddress,
    DeviceSecurityStatus,
    DeviceRiskLevel,
    DeviceComplianceStatus,
    ComplianceImpact,
    ClientLookoutSDKVersion,
    MDMConnectorId,
    MDMExternalId,
    TargetEmailAddress,
    TargetPlatform,
    ActorType,
    ActorGuid

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: DeviceEmailAddress
  - identifier: Name
    columnName: TargetEmailAddress
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DeviceGuid
  - identifier: OSFamily
    columnName: DevicePlatform
  - identifier: OSVersion
    columnName: DeviceOSVersion
- entityType: FileHash
  fieldMappings:
  - identifier: Algorithm
    columnName: ThreatApplicationName
  - identifier: Value
    columnName: ThreatPackageSha
tactics:
- Discovery
- DefenseEvasion
- Persistence
- PrivilegeEscalation
suppressionEnabled: false
suppressionDuration: PT1H
requiredDataConnectors:
- dataTypes:
  - LookoutEvents
  connectorId: LookoutAPI
alertDetailsOverride:
  alertDisplayNameFormat: 'High Severity Mobile Threat: {{ThreatType}} on {{DevicePlatform}} Device'
  alertDescriptionFormat: '{{ThreatSeverity}} {{ThreatCategory}} threat on {{DevicePlatform}}'
  alertTacticsColumnName: ThreatCategory
  alertSeverityColumnName: ThreatSeverity
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    groupByAlertDetails:
    - ThreatType
    - DeviceGuid
    lookbackDuration: P1D
    groupByEntities:
    - Account
    - Host
    groupByCustomDetails:
    - ThreatCategory
    - DevicePlatform
    enabled: true
    matchingMethod: Selected
  createIncident: true
id: 8b4a5c7e-2f91-4d8a-9e3b-1c6f8a2d4e9f
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  DeviceSecStatus: DeviceSecurityStatus
  ComplianceImpact: ComplianceImpact
  ThreatCategory: ThreatCategory
  ThreatRiskScore: ThreatRiskScore
  ThreatSeverity: ThreatSeverity
  ThreatType: ThreatType
  ThreatClasses: ThreatClassifications
  MDMConnectorId: MDMConnectorId
  DevicePlatform: DevicePlatform
  DeviceRiskLevel: DeviceRiskLevel
  ThreatStatus: ThreatStatus
query: |
  LookoutEvents
  | where EventType == "THREAT"
  | where ThreatSeverity in ("CRITICAL", "HIGH")
  | where ThreatStatus in ("OPEN", "ACTIVE")
  | where ThreatAction == "DETECTED"
  | extend
      ThreatRiskScore = case(
          ThreatSeverity == "CRITICAL", 10,
          ThreatSeverity == "HIGH", 8,
          ThreatSeverity == "MEDIUM", 5,
          ThreatSeverity == "LOW", 2,
          1
      ),
      DeviceRiskLevel = case(
          DeviceSecurityStatus == "THREATS_HIGH", "High",
          DeviceSecurityStatus == "THREATS_MEDIUM", "Medium",
          DeviceSecurityStatus == "THREATS_LOW", "Low",
          "Unknown"
      ),
      ThreatCategory = case(
          ThreatClassifications has "MALWARE", "Malware",
          ThreatClassifications has "PHISHING", "Phishing", 
          ThreatClassifications has "SPYWARE", "Spyware",
          ThreatClassifications has "TROJAN", "Trojan",
          ThreatClassifications has "ADWARE", "Adware",
          "Other"
      )
  | extend ComplianceImpact = case(
      DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 8, "Critical",
      DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 5, "High", 
      DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 8, "High",
      DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 5, "Medium",
      "Low"
  )
  | project
      TimeGenerated,
      EventId,
      ThreatId,
      ThreatType,
      ThreatSeverity,
      ThreatRiskScore,
      ThreatCategory,
      ThreatClassifications,
      ThreatStatus,
      ThreatDescription,
      ThreatApplicationName,
      ThreatPackageName,
      ThreatPackageSha,
      DeviceGuid,
      DevicePlatform,
      DeviceOSVersion,
      DeviceManufacturer,
      DeviceModel,
      DeviceEmailAddress,
      DeviceSecurityStatus,
      DeviceRiskLevel,
      DeviceComplianceStatus,
      ComplianceImpact,
      ClientLookoutSDKVersion,
      MDMConnectorId,
      MDMExternalId,
      TargetEmailAddress,
      TargetPlatform,
      ActorType,
      ActorGuid  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutThreatEventV2.yaml
kind: Scheduled
queryPeriod: 15m
version: 2.0.5
name: Lookout - High Severity Mobile Threats Detected (v2)
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1424
- T1418
- T1629
- T1630
description: |
    'Detects high severity mobile threats from Lookout Mobile Risk API v2 with enhanced threat intelligence and device context. This rule leverages the comprehensive v2 field set to provide detailed threat classification, risk assessment, and device compliance status for improved security monitoring.'
triggerOperator: gt