Palo Alto Prisma Cloud - Anomalous access key usage

Back


Id	bd602b90-f7f9-4ae9-bf8c-3672a24deb39
Rulename	Palo Alto Prisma Cloud - Anomalous access key usage
Description	Detects anomalous API key usage activity.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Required data connectors	PaloAltoPrismaCloud
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml
Version	1.0.1
Arm template	bd602b90-f7f9-4ae9-bf8c-3672a24deb39.json

KQL

let threshold = 10;
PaloAltoPrismaCloud
| where ResourceType =~ 'Login'
| where EventResult =~ 'Failed'
| where EventMessage has 'access key'
| summarize count() by UserName, bin(TimeGenerated, 5m)
| where count_ > threshold
| extend AccountCustomEntity = UserName

YAML

triggerOperator: gt
queryFrequency: 1h
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
  dataTypes:
  - PaloAltoPrismaCloud
relevantTechniques:
- T1078
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
query: |
  let threshold = 10;
  PaloAltoPrismaCloud
  | where ResourceType =~ 'Login'
  | where EventResult =~ 'Failed'
  | where EventMessage has 'access key'
  | summarize count() by UserName, bin(TimeGenerated, 5m)
  | where count_ > threshold
  | extend AccountCustomEntity = UserName  
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml
queryPeriod: 1h
name: Palo Alto Prisma Cloud - Anomalous access key usage
status: Available
kind: Scheduled
description: |
    'Detects anomalous API key usage activity.'
id: bd602b90-f7f9-4ae9-bf8c-3672a24deb39
version: 1.0.1
tactics:
- InitialAccess
severity: Medium

ARM