Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Lookout - High Severity Mobile Threats Detected v2

Lookout - High Severity Mobile Threats Detected v2

Back
Id8b4a5c7e-2f91-4d8a-9e3b-1c6f8a2d4e9f
RulenameLookout - High Severity Mobile Threats Detected (v2)
DescriptionDetects high severity mobile threats from Lookout Mobile Risk API v2 with enhanced threat intelligence and device context. This rule leverages the comprehensive v2 field set to provide detailed threat classification, risk assessment, and device compliance status for improved security monitoring.
SeverityHigh
TacticsDiscovery
DefenseEvasion
Persistence
PrivilegeEscalation
TechniquesT1424
T1418
T1629
T1630
Required data connectorsLookoutAPI
KindScheduled
Query frequency5m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutThreatEventV2.yaml
Version2.0.3
Arm template8b4a5c7e-2f91-4d8a-9e3b-1c6f8a2d4e9f.json
Deploy To Azure
LookoutEvents
| where EventType == "THREAT"
| where ThreatSeverity in ("CRITICAL", "HIGH")
| where ThreatAction == "DETECTED"
| where ThreatStatus in ("OPEN", "ACTIVE")
| extend 
    ThreatRiskScore = case(
        ThreatSeverity == "CRITICAL", 10,
        ThreatSeverity == "HIGH", 8,
        ThreatSeverity == "MEDIUM", 5,
        ThreatSeverity == "LOW", 2,
        1
    ),
    DeviceRiskLevel = case(
        DeviceSecurityStatus == "THREATS_HIGH", "High",
        DeviceSecurityStatus == "THREATS_MEDIUM", "Medium",
        DeviceSecurityStatus == "THREATS_LOW", "Low",
        "Unknown"
    ),
    ThreatCategory = case(
        ThreatClassifications has "MALWARE", "Malware",
        ThreatClassifications has "PHISHING", "Phishing", 
        ThreatClassifications has "SPYWARE", "Spyware",
        ThreatClassifications has "TROJAN", "Trojan",
        ThreatClassifications has "ADWARE", "Adware",
        "Other"
    )
| extend ComplianceImpact = case(
    DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 8, "Critical",
    DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 5, "High", 
    DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 8, "High",
    DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 5, "Medium",
    "Low"
)
| project
    TimeGenerated,
    EventId,
    ThreatId,
    ThreatType,
    ThreatSeverity,
    ThreatRiskScore,
    ThreatCategory,
    ThreatClassifications,
    ThreatStatus,
    ThreatDescription,
    ThreatApplicationName,
    ThreatPackageName,
    ThreatPackageSha,
    DeviceGuid,
    DevicePlatform,
    DeviceOSVersion,
    DeviceManufacturer,
    DeviceModel,
    DeviceEmailAddress,
    DeviceSecurityStatus,
    DeviceRiskLevel,
    DeviceComplianceStatus,
    ComplianceImpact,
    ClientLookoutSDKVersion,
    MDMConnectorId,
    MDMExternalId,
    TargetEmailAddress,
    TargetPlatform,
    ActorType,
    ActorGuid

id: 8b4a5c7e-2f91-4d8a-9e3b-1c6f8a2d4e9f
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionDuration: PT1H
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutThreatEventV2.yaml
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceEmailAddress
  - identifier: Name
    columnName: TargetEmailAddress
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: DeviceGuid
  - identifier: OSFamily
    columnName: DevicePlatform
  - identifier: OSVersion
    columnName: DeviceOSVersion
  entityType: Host
- fieldMappings:
  - identifier: Algorithm
    columnName: ThreatApplicationName
  - identifier: Value
    columnName: ThreatPackageSha
  entityType: FileHash
requiredDataConnectors:
- dataTypes:
  - LookoutEvents
  connectorId: LookoutAPI
queryFrequency: 5m
alertDetailsOverride:
  alertTacticsColumnName: ThreatCategory
  alertDisplayNameFormat: 'High Severity Mobile Threat: {{ThreatType}} on {{DevicePlatform}} Device'
  alertSeverityColumnName: ThreatSeverity
  alertDescriptionFormat: '{{ThreatSeverity}} {{ThreatCategory}} threat on {{DevicePlatform}}'
suppressionEnabled: false
queryPeriod: 15m
status: Available
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: P1D
    groupByAlertDetails:
    - ThreatType
    - DeviceGuid
    reopenClosedIncident: false
    matchingMethod: Selected
    groupByCustomDetails:
    - ThreatCategory
    - DevicePlatform
    groupByEntities:
    - Account
    - Host
    enabled: true
  createIncident: true
query: |
  LookoutEvents
  | where EventType == "THREAT"
  | where ThreatSeverity in ("CRITICAL", "HIGH")
  | where ThreatAction == "DETECTED"
  | where ThreatStatus in ("OPEN", "ACTIVE")
  | extend 
      ThreatRiskScore = case(
          ThreatSeverity == "CRITICAL", 10,
          ThreatSeverity == "HIGH", 8,
          ThreatSeverity == "MEDIUM", 5,
          ThreatSeverity == "LOW", 2,
          1
      ),
      DeviceRiskLevel = case(
          DeviceSecurityStatus == "THREATS_HIGH", "High",
          DeviceSecurityStatus == "THREATS_MEDIUM", "Medium",
          DeviceSecurityStatus == "THREATS_LOW", "Low",
          "Unknown"
      ),
      ThreatCategory = case(
          ThreatClassifications has "MALWARE", "Malware",
          ThreatClassifications has "PHISHING", "Phishing", 
          ThreatClassifications has "SPYWARE", "Spyware",
          ThreatClassifications has "TROJAN", "Trojan",
          ThreatClassifications has "ADWARE", "Adware",
          "Other"
      )
  | extend ComplianceImpact = case(
      DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 8, "Critical",
      DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 5, "High", 
      DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 8, "High",
      DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 5, "Medium",
      "Low"
  )
  | project
      TimeGenerated,
      EventId,
      ThreatId,
      ThreatType,
      ThreatSeverity,
      ThreatRiskScore,
      ThreatCategory,
      ThreatClassifications,
      ThreatStatus,
      ThreatDescription,
      ThreatApplicationName,
      ThreatPackageName,
      ThreatPackageSha,
      DeviceGuid,
      DevicePlatform,
      DeviceOSVersion,
      DeviceManufacturer,
      DeviceModel,
      DeviceEmailAddress,
      DeviceSecurityStatus,
      DeviceRiskLevel,
      DeviceComplianceStatus,
      ComplianceImpact,
      ClientLookoutSDKVersion,
      MDMConnectorId,
      MDMExternalId,
      TargetEmailAddress,
      TargetPlatform,
      ActorType,
      ActorGuid  
name: Lookout - High Severity Mobile Threats Detected (v2)
kind: Scheduled
tactics:
- Discovery
- DefenseEvasion
- Persistence
- PrivilegeEscalation
severity: High
relevantTechniques:
- T1424
- T1418
- T1629
- T1630
triggerThreshold: 0
version: 2.0.3
description: |
    'Detects high severity mobile threats from Lookout Mobile Risk API v2 with enhanced threat intelligence and device context. This rule leverages the comprehensive v2 field set to provide detailed threat classification, risk assessment, and device compliance status for improved security monitoring.'
customDetails:
  ThreatSeverity: ThreatSeverity
  DeviceRiskLevel: DeviceRiskLevel
  ThreatStatus: ThreatStatus
  ThreatCategory: ThreatCategory
  DevicePlatform: DevicePlatform
  DeviceSecStatus: DeviceSecurityStatus
  MDMConnectorId: MDMConnectorId
  ThreatType: ThreatType
  ThreatRiskScore: ThreatRiskScore
  ThreatClasses: ThreatClassifications
  ComplianceImpact: ComplianceImpact