Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Silverfort - NoPacBreach Incident

Back
Idbdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2
RulenameSilverfort - NoPacBreach Incident
DescriptionThe NoPac vulnerability involves privilege escalation, allowing attackers to gain unauthorized access and potentially take control of an entire Active Directory domain
SeverityHigh
TacticsPrivilegeEscalation
TechniquesT1068
T1548
Required data connectorsSilverfortAma
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/NoPac_Breach.yaml
Version1.0.0
Arm templatebdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2.json
Deploy To Azure
CommonSecurityLog 
| where DeviceVendor has 'Silverfort'
| where DeviceProduct has 'Admin Console'
| where DeviceEventClassID == "NewIncident"
| where Message has "NoPacBreach"
| extend UserName = parse_json(replace('^""|""$', '', Message))['userName']
tactics:
- PrivilegeEscalation
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: UserName
  entityType: Account
query: |-
  CommonSecurityLog 
  | where DeviceVendor has 'Silverfort'
  | where DeviceProduct has 'Admin Console'
  | where DeviceEventClassID == "NewIncident"
  | where Message has "NoPacBreach"
  | extend UserName = parse_json(replace('^""|""$', '', Message))['userName']  
requiredDataConnectors:
- connectorId: SilverfortAma
  dataTypes:
  - CommonSecurityLog
version: 1.0.0
queryFrequency: 15m
queryPeriod: 15m
description: |
    'The NoPac vulnerability involves privilege escalation, allowing attackers to gain unauthorized access and potentially take control of an entire Active Directory domain'
id: bdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2
triggerThreshold: 0
severity: High
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/NoPac_Breach.yaml
name: Silverfort - NoPacBreach Incident
relevantTechniques:
- T1068
- T1548
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2')]",
      "properties": {
        "alertRuleTemplateName": "bdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2",
        "customDetails": null,
        "description": "'The NoPac vulnerability involves privilege escalation, allowing attackers to gain unauthorized access and potentially take control of an entire Active Directory domain'\n",
        "displayName": "Silverfort - NoPacBreach Incident",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserName",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/NoPac_Breach.yaml",
        "query": "CommonSecurityLog \n| where DeviceVendor has 'Silverfort'\n| where DeviceProduct has 'Admin Console'\n| where DeviceEventClassID == \"NewIncident\"\n| where Message has \"NoPacBreach\"\n| extend UserName = parse_json(replace('^\"\"|\"\"$', '', Message))['userName']",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1068",
          "T1548"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}