Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

ApexOne - Device access permissions was changed

Back
Idb463b952-67b8-11ec-90d6-0242ac120003
RulenameApexOne - Device access permissions was changed
DescriptionQuery shows device access permissions was changed.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1078
Required data connectorsCefAma
TrendMicroApexOne
TrendMicroApexOneAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml
Version1.0.3
Arm templateb463b952-67b8-11ec-90d6-0242ac120003.json
Deploy To Azure
let threshold = 1;
TMApexOneEvent
| where EventMessage has "Device access"
| extend DeviceCustomNumber3 = coalesce(
                                  column_ifexists("FieldDeviceCustomNumber3", long(null)),
                                  DeviceCustomNumber3,
                                  long(null)
                              )
| extend Permission = case(
                            DeviceCustomNumber3 == "0", "Modify", 
                            DeviceCustomNumber3 == "1", "Read and execute",
                            DeviceCustomNumber3 == "2", "Read",
                            DeviceCustomNumber3 == "3", "List device content only", 
                            DeviceCustomNumber3 == "4", "Block",
                            "unknown"
                      )
| summarize Permissions = make_set(Permission) by DstUserName
| extend PermissionCount = array_length(Permissions)
| where PermissionCount > threshold
| extend AccountCustomEntity = DstUserName
kind: Scheduled
relevantTechniques:
- T1078
description: |
    'Query shows device access permissions was changed.'
queryPeriod: 1h
queryFrequency: 1h
tactics:
- PrivilegeEscalation
name: ApexOne - Device access permissions was changed
requiredDataConnectors:
- connectorId: TrendMicroApexOne
  dataTypes:
  - TMApexOneEvent
- connectorId: TrendMicroApexOneAma
  dataTypes:
  - TMApexOneEvent
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
triggerThreshold: 0
version: 1.0.3
id: b463b952-67b8-11ec-90d6-0242ac120003
query: |
  let threshold = 1;
  TMApexOneEvent
  | where EventMessage has "Device access"
  | extend DeviceCustomNumber3 = coalesce(
                                    column_ifexists("FieldDeviceCustomNumber3", long(null)),
                                    DeviceCustomNumber3,
                                    long(null)
                                )
  | extend Permission = case(
                              DeviceCustomNumber3 == "0", "Modify", 
                              DeviceCustomNumber3 == "1", "Read and execute",
                              DeviceCustomNumber3 == "2", "Read",
                              DeviceCustomNumber3 == "3", "List device content only", 
                              DeviceCustomNumber3 == "4", "Block",
                              "unknown"
                        )
  | summarize Permissions = make_set(Permission) by DstUserName
  | extend PermissionCount = array_length(Permissions)
  | where PermissionCount > threshold
  | extend AccountCustomEntity = DstUserName  
status: Available
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b463b952-67b8-11ec-90d6-0242ac120003')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b463b952-67b8-11ec-90d6-0242ac120003')]",
      "properties": {
        "alertRuleTemplateName": "b463b952-67b8-11ec-90d6-0242ac120003",
        "customDetails": null,
        "description": "'Query shows device access permissions was changed.'\n",
        "displayName": "ApexOne - Device access permissions was changed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml",
        "query": "let threshold = 1;\nTMApexOneEvent\n| where EventMessage has \"Device access\"\n| extend DeviceCustomNumber3 = coalesce(\n                                  column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),\n                                  DeviceCustomNumber3,\n                                  long(null)\n                              )\n| extend Permission = case(\n                            DeviceCustomNumber3 == \"0\", \"Modify\", \n                            DeviceCustomNumber3 == \"1\", \"Read and execute\",\n                            DeviceCustomNumber3 == \"2\", \"Read\",\n                            DeviceCustomNumber3 == \"3\", \"List device content only\", \n                            DeviceCustomNumber3 == \"4\", \"Block\",\n                            \"unknown\"\n                      )\n| summarize Permissions = make_set(Permission) by DstUserName\n| extend PermissionCount = array_length(Permissions)\n| where PermissionCount > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}