Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CyberArkEPM - Multiple attack types

Back
Idc02f96b4-057b-4e63-87af-6376ef7a081b
RulenameCyberArkEPM - Multiple attack types
DescriptionThis rule triggers on multiple attack attemts triggered by same user.
SeverityHigh
TacticsExecution
TechniquesT1204
Required data connectorsCyberArkEPM
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMMultipleAttackAttempts.yaml
Version1.0.0
Arm templatec02f96b4-057b-4e63-87af-6376ef7a081b.json
Deploy To Azure
CyberArkEPM
| where EventSubType =~ 'AttackAttempt'
| summarize LatestAttackTime=max(EventEndTime), att=makeset(EventMessage) by ActorUsername
| where array_length(att) > 1
| extend AccountCustomEntity = ActorUsername
id: c02f96b4-057b-4e63-87af-6376ef7a081b
query: |
  CyberArkEPM
  | where EventSubType =~ 'AttackAttempt'
  | summarize LatestAttackTime=max(EventEndTime), att=makeset(EventMessage) by ActorUsername
  | where array_length(att) > 1
  | extend AccountCustomEntity = ActorUsername  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMMultipleAttackAttempts.yaml
description: |
    'This rule triggers on multiple attack attemts triggered by same user.'
name: CyberArkEPM - Multiple attack types
relevantTechniques:
- T1204
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
triggerThreshold: 0
severity: High
requiredDataConnectors:
- dataTypes:
  - CyberArkEPM
  connectorId: CyberArkEPM
queryFrequency: 10m
queryPeriod: 10m
version: 1.0.0
kind: Scheduled
tactics:
- Execution
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c02f96b4-057b-4e63-87af-6376ef7a081b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c02f96b4-057b-4e63-87af-6376ef7a081b')]",
      "properties": {
        "alertRuleTemplateName": "c02f96b4-057b-4e63-87af-6376ef7a081b",
        "customDetails": null,
        "description": "'This rule triggers on multiple attack attemts triggered by same user.'\n",
        "displayName": "CyberArkEPM - Multiple attack types",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMMultipleAttackAttempts.yaml",
        "query": "CyberArkEPM\n| where EventSubType =~ 'AttackAttempt'\n| summarize LatestAttackTime=max(EventEndTime), att=makeset(EventMessage) by ActorUsername\n| where array_length(att) > 1\n| extend AccountCustomEntity = ActorUsername\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}