Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

ApexOne - Device access permissions was changed

Back
Idb463b952-67b8-11ec-90d6-0242ac120003
RulenameApexOne - Device access permissions was changed
DescriptionQuery shows device access permissions was changed.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1078
Required data connectorsCefAma
TrendMicroApexOne
TrendMicroApexOneAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml
Version1.0.3
Arm templateb463b952-67b8-11ec-90d6-0242ac120003.json
Deploy To Azure
let threshold = 1;
TMApexOneEvent
| where EventMessage has "Device access"
| extend DeviceCustomNumber3 = coalesce(
                                  column_ifexists("FieldDeviceCustomNumber3", long(null)),
                                  DeviceCustomNumber3,
                                  long(null)
                              )
| extend Permission = case(
                            DeviceCustomNumber3 == "0", "Modify", 
                            DeviceCustomNumber3 == "1", "Read and execute",
                            DeviceCustomNumber3 == "2", "Read",
                            DeviceCustomNumber3 == "3", "List device content only", 
                            DeviceCustomNumber3 == "4", "Block",
                            "unknown"
                      )
| summarize Permissions = make_set(Permission) by DstUserName
| extend PermissionCount = array_length(Permissions)
| where PermissionCount > threshold
| extend AccountCustomEntity = DstUserName
tactics:
- PrivilegeEscalation
query: |
  let threshold = 1;
  TMApexOneEvent
  | where EventMessage has "Device access"
  | extend DeviceCustomNumber3 = coalesce(
                                    column_ifexists("FieldDeviceCustomNumber3", long(null)),
                                    DeviceCustomNumber3,
                                    long(null)
                                )
  | extend Permission = case(
                              DeviceCustomNumber3 == "0", "Modify", 
                              DeviceCustomNumber3 == "1", "Read and execute",
                              DeviceCustomNumber3 == "2", "Read",
                              DeviceCustomNumber3 == "3", "List device content only", 
                              DeviceCustomNumber3 == "4", "Block",
                              "unknown"
                        )
  | summarize Permissions = make_set(Permission) by DstUserName
  | extend PermissionCount = array_length(Permissions)
  | where PermissionCount > threshold
  | extend AccountCustomEntity = DstUserName  
queryFrequency: 1h
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml
queryPeriod: 1h
kind: Scheduled
version: 1.0.3
triggerOperator: gt
status: Available
relevantTechniques:
- T1078
name: ApexOne - Device access permissions was changed
triggerThreshold: 0
severity: Medium
description: |
    'Query shows device access permissions was changed.'
requiredDataConnectors:
- dataTypes:
  - TMApexOneEvent
  connectorId: TrendMicroApexOne
- dataTypes:
  - TMApexOneEvent
  connectorId: TrendMicroApexOneAma
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
id: b463b952-67b8-11ec-90d6-0242ac120003
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b463b952-67b8-11ec-90d6-0242ac120003')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b463b952-67b8-11ec-90d6-0242ac120003')]",
      "properties": {
        "alertRuleTemplateName": "b463b952-67b8-11ec-90d6-0242ac120003",
        "customDetails": null,
        "description": "'Query shows device access permissions was changed.'\n",
        "displayName": "ApexOne - Device access permissions was changed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml",
        "query": "let threshold = 1;\nTMApexOneEvent\n| where EventMessage has \"Device access\"\n| extend DeviceCustomNumber3 = coalesce(\n                                  column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),\n                                  DeviceCustomNumber3,\n                                  long(null)\n                              )\n| extend Permission = case(\n                            DeviceCustomNumber3 == \"0\", \"Modify\", \n                            DeviceCustomNumber3 == \"1\", \"Read and execute\",\n                            DeviceCustomNumber3 == \"2\", \"Read\",\n                            DeviceCustomNumber3 == \"3\", \"List device content only\", \n                            DeviceCustomNumber3 == \"4\", \"Block\",\n                            \"unknown\"\n                      )\n| summarize Permissions = make_set(Permission) by DstUserName\n| extend PermissionCount = array_length(Permissions)\n| where PermissionCount > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}