Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CyberArkEPM - Multiple attack types

CyberArkEPM - Multiple attack types

Back
Idc02f96b4-057b-4e63-87af-6376ef7a081b
RulenameCyberArkEPM - Multiple attack types
DescriptionThis rule triggers on multiple attack attemts triggered by same user.
SeverityHigh
TacticsExecution
TechniquesT1204
Required data connectorsCyberArkEPM
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMMultipleAttackAttempts.yaml
Version1.0.0
Arm templatec02f96b4-057b-4e63-87af-6376ef7a081b.json
Deploy To Azure
CyberArkEPM
| where EventSubType =~ 'AttackAttempt'
| summarize LatestAttackTime=max(EventEndTime), att=makeset(EventMessage) by ActorUsername
| where array_length(att) > 1
| extend AccountCustomEntity = ActorUsername

queryPeriod: 10m
description: |
    'This rule triggers on multiple attack attemts triggered by same user.'
relevantTechniques:
- T1204
triggerThreshold: 0
id: c02f96b4-057b-4e63-87af-6376ef7a081b
queryFrequency: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMMultipleAttackAttempts.yaml
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
requiredDataConnectors:
- connectorId: CyberArkEPM
  dataTypes:
  - CyberArkEPM
triggerOperator: gt
tactics:
- Execution
name: CyberArkEPM - Multiple attack types
version: 1.0.0
severity: High
query: |
  CyberArkEPM
  | where EventSubType =~ 'AttackAttempt'
  | summarize LatestAttackTime=max(EventEndTime), att=makeset(EventMessage) by ActorUsername
  | where array_length(att) > 1
  | extend AccountCustomEntity = ActorUsername