Silverfort - NoPacBreach Incident
| Id | bdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2 |
| Rulename | Silverfort - NoPacBreach Incident |
| Description | The NoPac vulnerability involves privilege escalation, allowing attackers to gain unauthorized access and potentially take control of an entire Active Directory domain |
| Severity | High |
| Tactics | PrivilegeEscalation |
| Techniques | T1068 T1548 |
| Required data connectors | SilverfortAma |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/NoPac_Breach.yaml |
| Version | 1.0.0 |
| Arm template | bdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2.json |
CommonSecurityLog
| where DeviceVendor has 'Silverfort'
| where DeviceProduct has 'Admin Console'
| where DeviceEventClassID == "NewIncident"
| where Message has "NoPacBreach"
| extend UserName = parse_json(replace('^""|""$', '', Message))['userName']
entityMappings:
- fieldMappings:
- columnName: UserName
identifier: Name
entityType: Account
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/NoPac_Breach.yaml
version: 1.0.0
tactics:
- PrivilegeEscalation
queryPeriod: 15m
kind: Scheduled
id: bdfd2c45-10a0-44e7-a90a-ba7b6bdd9ff2
severity: High
query: |-
CommonSecurityLog
| where DeviceVendor has 'Silverfort'
| where DeviceProduct has 'Admin Console'
| where DeviceEventClassID == "NewIncident"
| where Message has "NoPacBreach"
| extend UserName = parse_json(replace('^""|""$', '', Message))['userName']
triggerThreshold: 0
name: Silverfort - NoPacBreach Incident
description: |
'The NoPac vulnerability involves privilege escalation, allowing attackers to gain unauthorized access and potentially take control of an entire Active Directory domain'
relevantTechniques:
- T1068
- T1548
requiredDataConnectors:
- connectorId: SilverfortAma
dataTypes:
- CommonSecurityLog
queryFrequency: 15m