Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. TacitRed - Repeat Compromise Detection

TacitRed - Repeat Compromise Detection

Back
Ida1b2c3d4-e5f6-7890-abcd-ef1234567890
RulenameTacitRed - Repeat Compromise Detection
DescriptionDetects users who have been compromised multiple times within a 7-day window.

This may indicate a persistent threat or inadequate remediation.



Ref: https://data443.com/tacitred-attack-surface-intelligence/
SeverityHigh
TacticsCredentialAccess
Persistence
TechniquesT1078
Required data connectorsTacitRedThreatIntel
KindScheduled
Query frequency1h
Query period7d
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TacitRedThreatIntelligence/Analytic Rules/TacitRed - Repeat Compromise Detection.yaml
Version1.0.1
Arm templatea1b2c3d4-e5f6-7890-abcd-ef1234567890.json
Deploy To Azure
let lookback = 7d;
TacitRed_Findings_CL
| where TimeGenerated >= ago(lookback)
| summarize
    CompromiseCount = count(),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    Sources = make_set(source_s),
    AvgConfidence = avg(confidence_d)
  by email_s, domain_s
| where CompromiseCount > 1
| extend
    Email = tostring(email_s),
    Domain = tostring(domain_s)
| project
    Email,
    Domain,
    CompromiseCount,
    FirstSeen,
    LastSeen,
    Sources,
    AvgConfidence

eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Email
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: Domain
requiredDataConnectors:
- dataTypes:
  - TacitRed_Findings_CL
  connectorId: TacitRedThreatIntel
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TacitRedThreatIntelligence/Analytic Rules/TacitRed - Repeat Compromise Detection.yaml
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5h
    reopenClosedIncident: false
    enabled: true
    groupByEntities:
    - Account
    matchingMethod: Selected
name: TacitRed - Repeat Compromise Detection
relevantTechniques:
- T1078
query: |-
  let lookback = 7d;
  TacitRed_Findings_CL
  | where TimeGenerated >= ago(lookback)
  | summarize
      CompromiseCount = count(),
      FirstSeen = min(TimeGenerated),
      LastSeen = max(TimeGenerated),
      Sources = make_set(source_s),
      AvgConfidence = avg(confidence_d)
    by email_s, domain_s
  | where CompromiseCount > 1
  | extend
      Email = tostring(email_s),
      Domain = tostring(domain_s)
  | project
      Email,
      Domain,
      CompromiseCount,
      FirstSeen,
      LastSeen,
      Sources,
      AvgConfidence  
version: 1.0.1
queryPeriod: 7d
kind: Scheduled
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
description: |-
  Detects users who have been compromised multiple times within a 7-day window.
  This may indicate a persistent threat or inadequate remediation.

  Ref: https://data443.com/tacitred-attack-surface-intelligence/  
queryFrequency: 1h
severity: High
triggerOperator: GreaterThan
tactics:
- CredentialAccess
- Persistence
suppressionDuration: 5h