Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

IDP Alert

Back
Idc982bcc1-ef73-485b-80d5-2a637ce4ab2b
RulenameIDP Alert
DescriptionThis query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.
SeverityMedium
TacticsDefenseEvasion
Impact
TechniquesT1578
T1531
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml
Version1.0.0
Arm templatec982bcc1-ef73-485b-80d5-2a637ce4ab2b.json
Deploy To Azure
SecurityIncident
| where Title has "Cvlt Alert" and Description == "IDP Compromised" and Status has "New"
version: 1.0.0
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
severity: Medium
queryFrequency: 5m
triggerOperator: gt
relevantTechniques:
- T1578
- T1531
status: Available
kind: Scheduled
triggerThreshold: 0
query: |
  SecurityIncident
  | where Title has "Cvlt Alert" and Description == "IDP Compromised" and Status has "New"  
entityMappings: 
name: IDP Alert
queryPeriod: 5m
description: |
    'This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.'
requiredDataConnectors: []
id: c982bcc1-ef73-485b-80d5-2a637ce4ab2b
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml
tactics:
- DefenseEvasion
- Impact
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c982bcc1-ef73-485b-80d5-2a637ce4ab2b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c982bcc1-ef73-485b-80d5-2a637ce4ab2b')]",
      "properties": {
        "alertRuleTemplateName": "c982bcc1-ef73-485b-80d5-2a637ce4ab2b",
        "customDetails": null,
        "description": "'This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.'\n",
        "displayName": "IDP Alert",
        "enabled": true,
        "entityMappings": null,
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml",
        "query": "SecurityIncident\n| where Title has \"Cvlt Alert\" and Description == \"IDP Compromised\" and Status has \"New\"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "tags": [
          "Commvault",
          "Metallic",
          "Threat Intelligence",
          "Ransomware"
        ],
        "techniques": [
          "T1531",
          "T1578"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}