Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CyberArkEPM - Multiple attack types

Back
Idc02f96b4-057b-4e63-87af-6376ef7a081b
RulenameCyberArkEPM - Multiple attack types
DescriptionThis rule triggers on multiple attack attemts triggered by same user.
SeverityHigh
TacticsExecution
TechniquesT1204
Required data connectorsCyberArkEPM
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMMultipleAttackAttempts.yaml
Version1.0.0
Arm templatec02f96b4-057b-4e63-87af-6376ef7a081b.json
Deploy To Azure
CyberArkEPM
| where EventSubType =~ 'AttackAttempt'
| summarize LatestAttackTime=max(EventEndTime), att=makeset(EventMessage) by ActorUsername
| where array_length(att) > 1
| extend AccountCustomEntity = ActorUsername
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMMultipleAttackAttempts.yaml
description: |
    'This rule triggers on multiple attack attemts triggered by same user.'
triggerOperator: gt
queryPeriod: 10m
requiredDataConnectors:
- dataTypes:
  - CyberArkEPM
  connectorId: CyberArkEPM
queryFrequency: 10m
triggerThreshold: 0
tactics:
- Execution
query: |
  CyberArkEPM
  | where EventSubType =~ 'AttackAttempt'
  | summarize LatestAttackTime=max(EventEndTime), att=makeset(EventMessage) by ActorUsername
  | where array_length(att) > 1
  | extend AccountCustomEntity = ActorUsername  
kind: Scheduled
relevantTechniques:
- T1204
version: 1.0.0
id: c02f96b4-057b-4e63-87af-6376ef7a081b
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
name: CyberArkEPM - Multiple attack types
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c02f96b4-057b-4e63-87af-6376ef7a081b')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c02f96b4-057b-4e63-87af-6376ef7a081b')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "CyberArkEPM - Multiple attack types",
        "description": "'This rule triggers on multiple attack attemts triggered by same user.'\n",
        "severity": "High",
        "enabled": true,
        "query": "CyberArkEPM\n| where EventSubType =~ 'AttackAttempt'\n| summarize LatestAttackTime=max(EventEndTime), att=makeset(EventMessage) by ActorUsername\n| where array_length(att) > 1\n| extend AccountCustomEntity = ActorUsername\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "alertRuleTemplateName": "c02f96b4-057b-4e63-87af-6376ef7a081b",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMMultipleAttackAttempts.yaml"
      }
    }
  ]
}