Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CyberArkEPM - Multiple attack types

Back
Idc02f96b4-057b-4e63-87af-6376ef7a081b
RulenameCyberArkEPM - Multiple attack types
DescriptionThis rule triggers on multiple attack attemts triggered by same user.
SeverityHigh
TacticsExecution
TechniquesT1204
Required data connectorsCyberArkEPM
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMMultipleAttackAttempts.yaml
Version1.0.0
Arm templatec02f96b4-057b-4e63-87af-6376ef7a081b.json
Deploy To Azure
CyberArkEPM
| where EventSubType =~ 'AttackAttempt'
| summarize LatestAttackTime=max(EventEndTime), att=makeset(EventMessage) by ActorUsername
| where array_length(att) > 1
| extend AccountCustomEntity = ActorUsername
tactics:
- Execution
name: CyberArkEPM - Multiple attack types
id: c02f96b4-057b-4e63-87af-6376ef7a081b
requiredDataConnectors:
- connectorId: CyberArkEPM
  dataTypes:
  - CyberArkEPM
query: |
  CyberArkEPM
  | where EventSubType =~ 'AttackAttempt'
  | summarize LatestAttackTime=max(EventEndTime), att=makeset(EventMessage) by ActorUsername
  | where array_length(att) > 1
  | extend AccountCustomEntity = ActorUsername  
relevantTechniques:
- T1204
description: |
    'This rule triggers on multiple attack attemts triggered by same user.'
triggerOperator: gt
queryPeriod: 10m
severity: High
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
version: 1.0.0
triggerThreshold: 0
kind: Scheduled
queryFrequency: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMMultipleAttackAttempts.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c02f96b4-057b-4e63-87af-6376ef7a081b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c02f96b4-057b-4e63-87af-6376ef7a081b')]",
      "properties": {
        "alertRuleTemplateName": "c02f96b4-057b-4e63-87af-6376ef7a081b",
        "customDetails": null,
        "description": "'This rule triggers on multiple attack attemts triggered by same user.'\n",
        "displayName": "CyberArkEPM - Multiple attack types",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMMultipleAttackAttempts.yaml",
        "query": "CyberArkEPM\n| where EventSubType =~ 'AttackAttempt'\n| summarize LatestAttackTime=max(EventEndTime), att=makeset(EventMessage) by ActorUsername\n| where array_length(att) > 1\n| extend AccountCustomEntity = ActorUsername\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}