Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. TacitRed - High Confidence Compromise

TacitRed - High Confidence Compromise

Back
Idb2c3d4e5-f6a7-8901-bcde-f23456789012
RulenameTacitRed - High Confidence Compromise
DescriptionDetects compromised credentials with high confidence scores.

High confidence findings indicate verified credential compromises that require immediate attention.



Ref: https://data443.com/tacitred-attack-surface-intelligence/
SeverityHigh
TacticsCredentialAccess
InitialAccess
Reconnaissance
TechniquesT1078
T1589
Required data connectorsTacitRedThreatIntel
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TacitRedThreatIntelligence/Analytic Rules/TacitRed - High Confidence Compromise.yaml
Version1.0.1
Arm templateb2c3d4e5-f6a7-8901-bcde-f23456789012.json
Deploy To Azure
TacitRed_Findings_CL
| where TimeGenerated >= ago(1h)
| where confidence_d >= 80
| extend
    Email = tostring(email_s),
    Username = tostring(username_s),
    Domain = tostring(domain_s),
    FindingType = tostring(findingType_s),
    Confidence = todouble(confidence_d),
    Source = tostring(source_s),
    Severity = tostring(severity_s)
| project
    TimeGenerated,
    Email,
    Username,
    Domain,
    FindingType,
    Confidence,
    Source,
    Severity

eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Username
  - identifier: UPNSuffix
    columnName: Email
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: Domain
requiredDataConnectors:
- dataTypes:
  - TacitRed_Findings_CL
  connectorId: TacitRedThreatIntel
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TacitRedThreatIntelligence/Analytic Rules/TacitRed - High Confidence Compromise.yaml
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5h
    reopenClosedIncident: false
    enabled: true
    groupByEntities:
    - Account
    matchingMethod: Selected
name: TacitRed - High Confidence Compromise
relevantTechniques:
- T1078
- T1589
query: |-
  TacitRed_Findings_CL
  | where TimeGenerated >= ago(1h)
  | where confidence_d >= 80
  | extend
      Email = tostring(email_s),
      Username = tostring(username_s),
      Domain = tostring(domain_s),
      FindingType = tostring(findingType_s),
      Confidence = todouble(confidence_d),
      Source = tostring(source_s),
      Severity = tostring(severity_s)
  | project
      TimeGenerated,
      Email,
      Username,
      Domain,
      FindingType,
      Confidence,
      Source,
      Severity  
version: 1.0.1
queryPeriod: 1h
kind: Scheduled
id: b2c3d4e5-f6a7-8901-bcde-f23456789012
description: |-
  Detects compromised credentials with high confidence scores.
  High confidence findings indicate verified credential compromises that require immediate attention.

  Ref: https://data443.com/tacitred-attack-surface-intelligence/  
queryFrequency: 1h
severity: High
triggerOperator: GreaterThan
tactics:
- CredentialAccess
- InitialAccess
- Reconnaissance
suppressionDuration: 5h