let threshold = 1;
TMApexOneEvent
| where EventMessage has "Device access"
| extend DeviceCustomNumber3 = coalesce(
column_ifexists("FieldDeviceCustomNumber3", long(null)),
DeviceCustomNumber3,
long(null)
)
| extend Permission = case(
DeviceCustomNumber3 == "0", "Modify",
DeviceCustomNumber3 == "1", "Read and execute",
DeviceCustomNumber3 == "2", "Read",
DeviceCustomNumber3 == "3", "List device content only",
DeviceCustomNumber3 == "4", "Block",
"unknown"
)
| summarize Permissions = make_set(Permission) by DstUserName
| extend PermissionCount = array_length(Permissions)
| where PermissionCount > threshold
| extend AccountCustomEntity = DstUserName
queryFrequency: 1h
tactics:
- PrivilegeEscalation
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml
id: b463b952-67b8-11ec-90d6-0242ac120003
name: ApexOne - Device access permissions was changed
triggerOperator: gt
status: Available
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
kind: Scheduled
version: 1.0.4
description: |
'Query shows device access permissions was changed.'
requiredDataConnectors:
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
relevantTechniques:
- T1078
queryPeriod: 1h
severity: Medium
triggerThreshold: 0
query: |
let threshold = 1;
TMApexOneEvent
| where EventMessage has "Device access"
| extend DeviceCustomNumber3 = coalesce(
column_ifexists("FieldDeviceCustomNumber3", long(null)),
DeviceCustomNumber3,
long(null)
)
| extend Permission = case(
DeviceCustomNumber3 == "0", "Modify",
DeviceCustomNumber3 == "1", "Read and execute",
DeviceCustomNumber3 == "2", "Read",
DeviceCustomNumber3 == "3", "List device content only",
DeviceCustomNumber3 == "4", "Block",
"unknown"
)
| summarize Permissions = make_set(Permission) by DstUserName
| extend PermissionCount = array_length(Permissions)
| where PermissionCount > threshold
| extend AccountCustomEntity = DstUserName
