Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CyberArkEPM - Attack attempt not blocked

Back
Id8e8978a2-9188-4187-8909-5ea00507bf16
RulenameCyberArkEPM - Attack attempt not blocked
DescriptionThis rule triggers on attack attempt which was not blocked by CyberArkEPM.
SeverityHigh
TacticsExecution
TechniquesT1204
Required data connectorsCyberArkEPM
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMAttackAttemptNotBlocked.yaml
Version1.0.0
Arm template8e8978a2-9188-4187-8909-5ea00507bf16.json
Deploy To Azure
CyberArkEPM
| where EventSubType =~ 'AttackAttempt'
| where ThreatProtectionAction =~ 'Detect'
| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName, Evidences
| extend AccountCustomEntity = ActorUsername
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
queryPeriod: 10m
requiredDataConnectors:
- dataTypes:
  - CyberArkEPM
  connectorId: CyberArkEPM
triggerThreshold: 0
kind: Scheduled
relevantTechniques:
- T1204
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMAttackAttemptNotBlocked.yaml
name: CyberArkEPM - Attack attempt not blocked
query: |
  CyberArkEPM
  | where EventSubType =~ 'AttackAttempt'
  | where ThreatProtectionAction =~ 'Detect'
  | project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName, Evidences
  | extend AccountCustomEntity = ActorUsername  
version: 1.0.0
id: 8e8978a2-9188-4187-8909-5ea00507bf16
tactics:
- Execution
queryFrequency: 10m
triggerOperator: gt
description: |
    'This rule triggers on attack attempt which was not blocked by CyberArkEPM.'
severity: High
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e8978a2-9188-4187-8909-5ea00507bf16')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e8978a2-9188-4187-8909-5ea00507bf16')]",
      "properties": {
        "alertRuleTemplateName": "8e8978a2-9188-4187-8909-5ea00507bf16",
        "customDetails": null,
        "description": "'This rule triggers on attack attempt which was not blocked by CyberArkEPM.'\n",
        "displayName": "CyberArkEPM - Attack attempt not blocked",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMAttackAttemptNotBlocked.yaml",
        "query": "CyberArkEPM\n| where EventSubType =~ 'AttackAttempt'\n| where ThreatProtectionAction =~ 'Detect'\n| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName, Evidences\n| extend AccountCustomEntity = ActorUsername\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}