Palo Alto Prisma Cloud - Anomalous access key usage

Back


Id	bd602b90-f7f9-4ae9-bf8c-3672a24deb39
Rulename	Palo Alto Prisma Cloud - Anomalous access key usage
Description	Detects anomalous API key usage activity.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Required data connectors	PaloAltoPrismaCloud
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml
Version	1.0.1
Arm template	bd602b90-f7f9-4ae9-bf8c-3672a24deb39.json

KQL

let threshold = 10;
PaloAltoPrismaCloud
| where ResourceType =~ 'Login'
| where EventResult =~ 'Failed'
| where EventMessage has 'access key'
| summarize count() by UserName, bin(TimeGenerated, 5m)
| where count_ > threshold
| extend AccountCustomEntity = UserName

YAML

triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
requiredDataConnectors:
- dataTypes:
  - PaloAltoPrismaCloud
  connectorId: PaloAltoPrismaCloud
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml
name: Palo Alto Prisma Cloud - Anomalous access key usage
relevantTechniques:
- T1078
status: Available
version: 1.0.1
queryPeriod: 1h
kind: Scheduled
id: bd602b90-f7f9-4ae9-bf8c-3672a24deb39
query: |
  let threshold = 10;
  PaloAltoPrismaCloud
  | where ResourceType =~ 'Login'
  | where EventResult =~ 'Failed'
  | where EventMessage has 'access key'
  | summarize count() by UserName, bin(TimeGenerated, 5m)
  | where count_ > threshold
  | extend AccountCustomEntity = UserName  
description: |
    'Detects anomalous API key usage activity.'
queryFrequency: 1h
severity: Medium
triggerOperator: gt
tactics:
- InitialAccess

ARM