Silverfort - NoPacBreach Incident
| Id | bdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2 |
| Rulename | Silverfort - NoPacBreach Incident |
| Description | The NoPac vulnerability involves privilege escalation, allowing attackers to gain unauthorized access and potentially take control of an entire Active Directory domain |
| Severity | High |
| Tactics | PrivilegeEscalation |
| Techniques | T1068 T1548 |
| Required data connectors | SilverfortAma |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/NoPac_Breach.yaml |
| Version | 1.0.0 |
| Arm template | bdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2.json |
CommonSecurityLog
| where DeviceVendor has 'Silverfort'
| where DeviceProduct has 'Admin Console'
| where DeviceEventClassID == "NewIncident"
| where Message has "NoPacBreach"
| extend UserName = parse_json(replace('^""|""$', '', Message))['userName']
queryPeriod: 15m
query: |-
CommonSecurityLog
| where DeviceVendor has 'Silverfort'
| where DeviceProduct has 'Admin Console'
| where DeviceEventClassID == "NewIncident"
| where Message has "NoPacBreach"
| extend UserName = parse_json(replace('^""|""$', '', Message))['userName']
name: Silverfort - NoPacBreach Incident
entityMappings:
- fieldMappings:
- columnName: UserName
identifier: Name
entityType: Account
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/NoPac_Breach.yaml
description: |
'The NoPac vulnerability involves privilege escalation, allowing attackers to gain unauthorized access and potentially take control of an entire Active Directory domain'
kind: Scheduled
version: 1.0.0
queryFrequency: 15m
severity: High
requiredDataConnectors:
- connectorId: SilverfortAma
dataTypes:
- CommonSecurityLog
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
id: bdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2
relevantTechniques:
- T1068
- T1548