Zscaler - Forbidden countries

Back


Id	b3d112b4-3e1e-11ec-9bbc-0242ac130002
Rulename	Zscaler - Forbidden countries
Description	Detects suspicious ZPA connections from forbidden countries.
Severity	High
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CustomLogsAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountries.yaml
Version	1.0.2
Arm template	b3d112b4-3e1e-11ec-9bbc-0242ac130002.json

KQL

let bl_countries = dynamic(['CH', 'RU']);       //List of countries from which you do not expect connections
ZPAEvent 
| where DvcAction == 'open'
| where SrcGeoCountry in~ (bl_countries)
| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName

YAML

description: |
    'Detects suspicious ZPA connections from forbidden countries.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zscaler Private Access (ZPA)/Analytic Rules/ZscalerUnexpectedCountries.yaml
requiredDataConnectors:
- datatypes:
  - ZPA_CL
  connectorId: CustomLogsAma
query: |
  let bl_countries = dynamic(['CH', 'RU']);       //List of countries from which you do not expect connections
  ZPAEvent 
  | where DvcAction == 'open'
  | where SrcGeoCountry in~ (bl_countries)
  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName  
triggerThreshold: 0
name: Zscaler - Forbidden countries
relevantTechniques:
- T1190
- T1133
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
tactics:
- InitialAccess
queryPeriod: 1h
severity: High
status: Available
queryFrequency: 1h
id: b3d112b4-3e1e-11ec-9bbc-0242ac130002
kind: Scheduled
version: 1.0.2
triggerOperator: gt

ARM