Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CyberArkEPM - Attack attempt not blocked

Back
Id8e8978a2-9188-4187-8909-5ea00507bf16
RulenameCyberArkEPM - Attack attempt not blocked
DescriptionThis rule triggers on attack attempt which was not blocked by CyberArkEPM.
SeverityHigh
TacticsExecution
TechniquesT1204
Required data connectorsCyberArkEPM
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMAttackAttemptNotBlocked.yaml
Version1.0.0
Arm template8e8978a2-9188-4187-8909-5ea00507bf16.json
Deploy To Azure
CyberArkEPM
| where EventSubType =~ 'AttackAttempt'
| where ThreatProtectionAction =~ 'Detect'
| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName, Evidences
| extend AccountCustomEntity = ActorUsername
id: 8e8978a2-9188-4187-8909-5ea00507bf16
tactics:
- Execution
queryPeriod: 10m
triggerThreshold: 0
name: CyberArkEPM - Attack attempt not blocked
query: |
  CyberArkEPM
  | where EventSubType =~ 'AttackAttempt'
  | where ThreatProtectionAction =~ 'Detect'
  | project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName, Evidences
  | extend AccountCustomEntity = ActorUsername  
severity: High
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1204
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMAttackAttemptNotBlocked.yaml
queryFrequency: 10m
requiredDataConnectors:
- connectorId: CyberArkEPM
  dataTypes:
  - CyberArkEPM
description: |
    'This rule triggers on attack attempt which was not blocked by CyberArkEPM.'
version: 1.0.0
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e8978a2-9188-4187-8909-5ea00507bf16')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e8978a2-9188-4187-8909-5ea00507bf16')]",
      "properties": {
        "alertRuleTemplateName": "8e8978a2-9188-4187-8909-5ea00507bf16",
        "customDetails": null,
        "description": "'This rule triggers on attack attempt which was not blocked by CyberArkEPM.'\n",
        "displayName": "CyberArkEPM - Attack attempt not blocked",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMAttackAttemptNotBlocked.yaml",
        "query": "CyberArkEPM\n| where EventSubType =~ 'AttackAttempt'\n| where ThreatProtectionAction =~ 'Detect'\n| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName, Evidences\n| extend AccountCustomEntity = ActorUsername\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}