IDP Alert

Back


Id	c982bcc1-ef73-485b-80d5-2a637ce4ab2b
Rulename	IDP Alert
Description	This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.
Severity	Medium
Tactics	DefenseEvasion Impact
Techniques	T1578 T1531
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml
Version	1.0.0
Arm template	c982bcc1-ef73-485b-80d5-2a637ce4ab2b.json

KQL

SecurityIncident
| where Title has "Cvlt Alert" and Description == "IDP Compromised" and Status has "New"

YAML

entityMappings: 
name: IDP Alert
tactics:
- DefenseEvasion
- Impact
severity: Medium
triggerThreshold: 0
relevantTechniques:
- T1578
- T1531
id: c982bcc1-ef73-485b-80d5-2a637ce4ab2b
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml
queryFrequency: 5m
triggerOperator: gt
query: |
  SecurityIncident
  | where Title has "Cvlt Alert" and Description == "IDP Compromised" and Status has "New"  
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
description: |
    'This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.'
requiredDataConnectors: []
status: Available
queryPeriod: 5m
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c982bcc1-ef73-485b-80d5-2a637ce4ab2b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c982bcc1-ef73-485b-80d5-2a637ce4ab2b')]",
      "properties": {
        "alertRuleTemplateName": "c982bcc1-ef73-485b-80d5-2a637ce4ab2b",
        "customDetails": null,
        "description": "'This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.'\n",
        "displayName": "IDP Alert",
        "enabled": true,
        "entityMappings": null,
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml",
        "query": "SecurityIncident\n| where Title has \"Cvlt Alert\" and Description == \"IDP Compromised\" and Status has \"New\"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "tags": [
          "Commvault",
          "Metallic",
          "Threat Intelligence",
          "Ransomware"
        ],
        "techniques": [
          "T1531",
          "T1578"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}