CTERA Mass Permissions Changes Detection Analytic

Back


Id	90502ac9-19a2-41f0-ba81-e352de90b61b
Rulename	CTERA Mass Permissions Changes Detection Analytic
Description	This analytic rule detects and alerts when access denied operations generated by the CTERA Edge Filer goes over a predefined threshold
Severity	High
Tactics	PrivilegeEscalation
Techniques	T1068
Required data connectors	CTERA
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	5000
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/MassPermissionChanges.yaml
Version	1.0.0
Arm template	90502ac9-19a2-41f0-ba81-e352de90b61b.json

KQL

Syslog
  | where ProcessName == 'gw-audit'
  | extend
      TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage),
      UserName = extract("user=([^|]*)", 1, SyslogMessage),
      Operation = extract("op=([^|]*)", 1, SyslogMessage),
      EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage),
      RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage),
      Share = extract("share=([^|]*)", 1, SyslogMessage),
      LocalPath = extract("path=([^|]*)", 1, SyslogMessage),
      Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage))
  | where Operation in ('ACLAdded', 'ACLDeleted', 'ACLProtectionAdded','chown', 'setsd', 'ACLProtectionDeleted', 'ACEChanged', 'setdacl')
  | summarize Count = count() by UserName, bin(Timestamp, 5m)
  | where Count > 5000

YAML

query: |
  Syslog
    | where ProcessName == 'gw-audit'
    | extend
        TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage),
        UserName = extract("user=([^|]*)", 1, SyslogMessage),
        Operation = extract("op=([^|]*)", 1, SyslogMessage),
        EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage),
        RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage),
        Share = extract("share=([^|]*)", 1, SyslogMessage),
        LocalPath = extract("path=([^|]*)", 1, SyslogMessage),
        Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage))
    | where Operation in ('ACLAdded', 'ACLDeleted', 'ACLProtectionAdded','chown', 'setsd', 'ACLProtectionDeleted', 'ACEChanged', 'setdacl')
    | summarize Count = count() by UserName, bin(Timestamp, 5m)
    | where Count > 5000  
status: Available
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerThreshold: 5000
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/MassPermissionChanges.yaml
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: CTERA
alertDetailsOverride:
  alertnameFormat: CTERA Batch Access Denied Detection
  alertDescriptionFormat: |
        Detected {{Count}} denied access attempts by user {{UserName}} on Edge Filer  {{EdgeFiler}} within 5 minutes. Please investigate unauthorized access attempts or misconfigurations.
id: 90502ac9-19a2-41f0-ba81-e352de90b61b
tactics:
- PrivilegeEscalation
queryPeriod: 5m
queryFrequency: 5m
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: UserName
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: EdgeFiler
version: 1.0.0
customDetails:
  TenantName: TenantName
  Share: Share
  EdgeFiler: EdgeFiler
  RootPath: RootPath
  UserName: UserName
triggerOperator: GreaterThan
relevantTechniques:
- T1068
severity: High
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
kind: Scheduled
suppressionDuration: PT5H
name: CTERA Mass Permissions Changes Detection Analytic
description: This analytic rule detects and alerts when access denied operations generated by the CTERA Edge Filer goes over a predefined threshold

ARM