CTERA Mass Permissions Changes Detection Analytic

Back


Id	90502ac9-19a2-41f0-ba81-e352de90b61b
Rulename	CTERA Mass Permissions Changes Detection Analytic
Description	This analytic rule detects and alerts when access denied operations generated by the CTERA Edge Filer goes over a predefined threshold
Severity	High
Tactics	PrivilegeEscalation
Techniques	T1068
Required data connectors	CTERA
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	5000
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/MassPermissionChanges.yaml
Version	1.0.0
Arm template	90502ac9-19a2-41f0-ba81-e352de90b61b.json

KQL

Syslog
  | where ProcessName == 'gw-audit'
  | extend
      TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage),
      UserName = extract("user=([^|]*)", 1, SyslogMessage),
      Operation = extract("op=([^|]*)", 1, SyslogMessage),
      EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage),
      RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage),
      Share = extract("share=([^|]*)", 1, SyslogMessage),
      LocalPath = extract("path=([^|]*)", 1, SyslogMessage),
      Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage))
  | where Operation in ('ACLAdded', 'ACLDeleted', 'ACLProtectionAdded','chown', 'setsd', 'ACLProtectionDeleted', 'ACEChanged', 'setdacl')
  | summarize Count = count() by UserName, bin(Timestamp, 5m)
  | where Count > 5000

YAML

description: This analytic rule detects and alerts when access denied operations generated by the CTERA Edge Filer goes over a predefined threshold
kind: Scheduled
suppressionEnabled: false
queryFrequency: 5m
suppressionDuration: PT5H
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/MassPermissionChanges.yaml
alertDetailsOverride:
  alertnameFormat: CTERA Batch Access Denied Detection
  alertDescriptionFormat: |
        Detected {{Count}} denied access attempts by user {{UserName}} on Edge Filer  {{EdgeFiler}} within 5 minutes. Please investigate unauthorized access attempts or misconfigurations.
status: Available
eventGroupingSettings:
  aggregationKind: SingleAlert
severity: High
triggerOperator: GreaterThan
triggerThreshold: 5000
name: CTERA Mass Permissions Changes Detection Analytic
customDetails:
  EdgeFiler: EdgeFiler
  RootPath: RootPath
  TenantName: TenantName
  Share: Share
  UserName: UserName
entityMappings:
- fieldMappings:
  - columnName: UserName
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: EdgeFiler
    identifier: Name
  entityType: File
requiredDataConnectors:
- connectorId: CTERA
  dataTypes:
  - Syslog
id: 90502ac9-19a2-41f0-ba81-e352de90b61b
queryPeriod: 5m
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: PT5H
relevantTechniques:
- T1068
tactics:
- PrivilegeEscalation
version: 1.0.0
query: |
  Syslog
    | where ProcessName == 'gw-audit'
    | extend
        TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage),
        UserName = extract("user=([^|]*)", 1, SyslogMessage),
        Operation = extract("op=([^|]*)", 1, SyslogMessage),
        EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage),
        RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage),
        Share = extract("share=([^|]*)", 1, SyslogMessage),
        LocalPath = extract("path=([^|]*)", 1, SyslogMessage),
        Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage))
    | where Operation in ('ACLAdded', 'ACLDeleted', 'ACLProtectionAdded','chown', 'setsd', 'ACLProtectionDeleted', 'ACEChanged', 'setdacl')
    | summarize Count = count() by UserName, bin(Timestamp, 5m)
    | where Count > 5000

ARM