Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Valimail Enforce - High-Value User Management Event

Valimail Enforce - High-Value User Management Event

Back
Ide960f5b0-cd80-474a-996a-013ff3989772
RulenameValimail Enforce - High-Value User Management Event
DescriptionThis query searches for high-severity user management events such as user deletion or deactivation

in Valimail Enforce, which may indicate unauthorized access or insider threat.
SeverityHigh
TacticsImpact
PrivilegeEscalation
TechniquesT1531
T1078
Required data connectorsValimailEnforce
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UserManagementHighValue.yaml
Version1.0.0
Arm templatee960f5b0-cd80-474a-996a-013ff3989772.json
Deploy To Azure
ValimailEnforceEvents_CL
| where EventCategory == "UserManagement"
| where EventSeverity == "High"
| where IsHighValueEvent == true
| summarize
    EventCount = count(),
    FirstSeen = min(PerformedAt),
    LastSeen = max(PerformedAt),
    AffectedUsers = make_set(Subject),
    Actions = make_set(EventType)
  by User, EventCategory
| extend
    AccountName = tostring(split(User, "@")[0]),
    AccountDomain = tostring(split(User, "@")[1])

id: e960f5b0-cd80-474a-996a-013ff3989772
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UserManagementHighValue.yaml
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountDomain
  entityType: Account
requiredDataConnectors:
- dataTypes:
  - ValimailEnforceEvents_CL
  connectorId: ValimailEnforce
queryFrequency: 1h
alertDetailsOverride:
  alertDisplayNameFormat: High-value user management action by {{User}}
  alertDescriptionFormat: |
    User '{{User}}' performed {{EventCount}} high-value user management
    action(s) in Valimail Enforce. Actions: {{Actions}}    
queryPeriod: 1h
status: Available
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 1d
    reopenClosedIncident: false
    matchingMethod: Selected
    groupByEntities:
    - Account
    enabled: true
  createIncident: true
query: |
  ValimailEnforceEvents_CL
  | where EventCategory == "UserManagement"
  | where EventSeverity == "High"
  | where IsHighValueEvent == true
  | summarize
      EventCount = count(),
      FirstSeen = min(PerformedAt),
      LastSeen = max(PerformedAt),
      AffectedUsers = make_set(Subject),
      Actions = make_set(EventType)
    by User, EventCategory
  | extend
      AccountName = tostring(split(User, "@")[0]),
      AccountDomain = tostring(split(User, "@")[1])  
name: Valimail Enforce - High-Value User Management Event
kind: Scheduled
tactics:
- Impact
- PrivilegeEscalation
severity: High
relevantTechniques:
- T1531
- T1078
triggerThreshold: 0
version: 1.0.0
description: |
  This query searches for high-severity user management events such as user deletion or deactivation
  in Valimail Enforce, which may indicate unauthorized access or insider threat.