Palo Alto Prisma Cloud - Anomalous access key usage

Back


Id	bd602b90-f7f9-4ae9-bf8c-3672a24deb39
Rulename	Palo Alto Prisma Cloud - Anomalous access key usage
Description	Detects anomalous API key usage activity.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Required data connectors	PaloAltoPrismaCloud
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml
Version	1.0.1
Arm template	bd602b90-f7f9-4ae9-bf8c-3672a24deb39.json

KQL

let threshold = 10;
PaloAltoPrismaCloud
| where ResourceType =~ 'Login'
| where EventResult =~ 'Failed'
| where EventMessage has 'access key'
| summarize count() by UserName, bin(TimeGenerated, 5m)
| where count_ > threshold
| extend AccountCustomEntity = UserName

YAML

requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
  dataTypes:
  - PaloAltoPrismaCloud
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml
version: 1.0.1
status: Available
queryPeriod: 1h
severity: Medium
relevantTechniques:
- T1078
tactics:
- InitialAccess
kind: Scheduled
queryFrequency: 1h
description: |
    'Detects anomalous API key usage activity.'
query: |
  let threshold = 10;
  PaloAltoPrismaCloud
  | where ResourceType =~ 'Login'
  | where EventResult =~ 'Failed'
  | where EventMessage has 'access key'
  | summarize count() by UserName, bin(TimeGenerated, 5m)
  | where count_ > threshold
  | extend AccountCustomEntity = UserName  
id: bd602b90-f7f9-4ae9-bf8c-3672a24deb39
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
name: Palo Alto Prisma Cloud - Anomalous access key usage

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bd602b90-f7f9-4ae9-bf8c-3672a24deb39')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bd602b90-f7f9-4ae9-bf8c-3672a24deb39')]",
      "properties": {
        "alertRuleTemplateName": "bd602b90-f7f9-4ae9-bf8c-3672a24deb39",
        "customDetails": null,
        "description": "'Detects anomalous API key usage activity.'\n",
        "displayName": "Palo Alto Prisma Cloud - Anomalous access key usage",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml",
        "query": "let threshold = 10;\nPaloAltoPrismaCloud\n| where ResourceType =~ 'Login'\n| where EventResult =~ 'Failed'\n| where EventMessage has 'access key'\n| summarize count() by UserName, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend AccountCustomEntity = UserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}