IDP Alert

Back


Id	c982bcc1-ef73-485b-80d5-2a637ce4ab2b
Rulename	IDP Alert
Description	This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.
Severity	Medium
Tactics	DefenseEvasion Impact
Techniques	T1578 T1531
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml
Version	1.0.0
Arm template	c982bcc1-ef73-485b-80d5-2a637ce4ab2b.json

KQL

SecurityIncident
| where Title has "Cvlt Alert" and Description == "IDP Compromised" and Status has "New"

YAML

queryPeriod: 5m
entityMappings: 
id: c982bcc1-ef73-485b-80d5-2a637ce4ab2b
name: IDP Alert
status: Available
description: |
    'This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.'
tactics:
- DefenseEvasion
- Impact
triggerOperator: gt
query: |
  SecurityIncident
  | where Title has "Cvlt Alert" and Description == "IDP Compromised" and Status has "New"  
queryFrequency: 5m
triggerThreshold: 0
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml
requiredDataConnectors: []
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
version: 1.0.0
relevantTechniques:
- T1578
- T1531
severity: Medium

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c982bcc1-ef73-485b-80d5-2a637ce4ab2b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c982bcc1-ef73-485b-80d5-2a637ce4ab2b')]",
      "properties": {
        "alertRuleTemplateName": "c982bcc1-ef73-485b-80d5-2a637ce4ab2b",
        "customDetails": null,
        "description": "'This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.'\n",
        "displayName": "IDP Alert",
        "enabled": true,
        "entityMappings": null,
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml",
        "query": "SecurityIncident\n| where Title has \"Cvlt Alert\" and Description == \"IDP Compromised\" and Status has \"New\"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "tags": [
          "Commvault",
          "Metallic",
          "Threat Intelligence",
          "Ransomware"
        ],
        "techniques": [
          "T1531",
          "T1578"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}