Netskope - New Risky App Access vs 7-Day Baseline
| Id | ba66b81c-2cf7-4c53-9db0-e8b6f537704a |
| Rulename | Netskope - New Risky App Access vs 7-Day Baseline |
| Description | Compares today’s accessed applications against a 7-day baseline and triggers alerts when users access new risky applications not seen before. |
| Severity | Medium |
| Tactics | InitialAccess Discovery |
| Techniques | T1199 T1526 |
| Required data connectors | NetskopeWebTxConnector |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 8d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule7.yaml |
| Version | 1.0.0 |
| Arm template | ba66b81c-2cf7-4c53-9db0-e8b6f537704a.json |
let lookbackPeriod = 7d;
let currentPeriod = 1d;
let baseline = NetskopeWebTransactions_CL
| where TimeGenerated between (ago(lookbackPeriod) .. ago(currentPeriod))
| where isnotempty(CsUsername) and isnotempty(XCsApp)
| summarize BaselineApps = make_set(XCsApp) by CsUsername;
let current = NetskopeWebTransactions_CL
| where TimeGenerated > ago(currentPeriod)
| where isnotempty(CsUsername) and isnotempty(XCsApp)
| where XCsAppCcl =~ 'poor' or XCsAppCcl =~ 'low' or XCsAppCcl =~ 'medium' or XCsAppCci < 70
| summarize
CurrentApps = make_set(XCsApp),
arg_max(TimeGenerated, XCsAppCcl, XCsAppCci, XCsAppCategory)
by CsUsername, XCsApp;
current
| join kind=leftouter baseline on CsUsername
| extend BaselineApps = coalesce(BaselineApps, dynamic([]))
| where not(set_has_element(BaselineApps, XCsApp))
| where isnotempty(XCsApp)
| where XCsAppCci < 70 or XCsAppCcl =~ 'poor' or XCsAppCcl =~ 'low'
| project
TimeGenerated,
User = CsUsername,
NewRiskyApp = XCsApp,
AppCCL = XCsAppCcl,
AppCCI = XCsAppCci,
AppCategory = XCsAppCategory,
BaselineAppCount = array_length(BaselineApps)
relevantTechniques:
- T1199
- T1526
entityMappings:
- entityType: Account
fieldMappings:
- columnName: User
identifier: Name
- entityType: CloudApplication
fieldMappings:
- columnName: NewRiskyApp
identifier: Name
version: 1.0.0
id: ba66b81c-2cf7-4c53-9db0-e8b6f537704a
severity: Medium
kind: Scheduled
queryFrequency: 1d
description: |
Compares today's accessed applications against a 7-day baseline and triggers alerts when users access new risky applications not seen before.
requiredDataConnectors:
- connectorId: NetskopeWebTxConnector
dataTypes:
- NetskopeWebTransactions_CL
triggerOperator: gt
name: Netskope - New Risky App Access vs 7-Day Baseline
tactics:
- InitialAccess
- Discovery
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule7.yaml
triggerThreshold: 0
queryPeriod: 8d
query: |
let lookbackPeriod = 7d;
let currentPeriod = 1d;
let baseline = NetskopeWebTransactions_CL
| where TimeGenerated between (ago(lookbackPeriod) .. ago(currentPeriod))
| where isnotempty(CsUsername) and isnotempty(XCsApp)
| summarize BaselineApps = make_set(XCsApp) by CsUsername;
let current = NetskopeWebTransactions_CL
| where TimeGenerated > ago(currentPeriod)
| where isnotempty(CsUsername) and isnotempty(XCsApp)
| where XCsAppCcl =~ 'poor' or XCsAppCcl =~ 'low' or XCsAppCcl =~ 'medium' or XCsAppCci < 70
| summarize
CurrentApps = make_set(XCsApp),
arg_max(TimeGenerated, XCsAppCcl, XCsAppCci, XCsAppCategory)
by CsUsername, XCsApp;
current
| join kind=leftouter baseline on CsUsername
| extend BaselineApps = coalesce(BaselineApps, dynamic([]))
| where not(set_has_element(BaselineApps, XCsApp))
| where isnotempty(XCsApp)
| where XCsAppCci < 70 or XCsAppCcl =~ 'poor' or XCsAppCcl =~ 'low'
| project
TimeGenerated,
User = CsUsername,
NewRiskyApp = XCsApp,
AppCCL = XCsAppCcl,
AppCCI = XCsAppCci,
AppCategory = XCsAppCategory,
BaselineAppCount = array_length(BaselineApps)
status: Available