Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Valimail Enforce - High-Value User Management Event

Valimail Enforce - High-Value User Management Event

Back
Ide960f5b0-cd80-474a-996a-013ff3989772
RulenameValimail Enforce - High-Value User Management Event
DescriptionThis query searches for high-severity user management events such as user deletion or deactivation

in Valimail Enforce, which may indicate unauthorized access or insider threat.
SeverityHigh
TacticsImpact
PrivilegeEscalation
TechniquesT1531
T1078
Required data connectorsValimailEnforce
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UserManagementHighValue.yaml
Version1.0.0
Arm templatee960f5b0-cd80-474a-996a-013ff3989772.json
Deploy To Azure
ValimailEnforceEvents_CL
| where EventCategory == "UserManagement"
| where EventSeverity == "High"
| where IsHighValueEvent == true
| summarize
    EventCount = count(),
    FirstSeen = min(PerformedAt),
    LastSeen = max(PerformedAt),
    AffectedUsers = make_set(Subject),
    Actions = make_set(EventType)
  by User, EventCategory
| extend
    AccountName = tostring(split(User, "@")[0]),
    AccountDomain = tostring(split(User, "@")[1])

status: Available
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
query: |
  ValimailEnforceEvents_CL
  | where EventCategory == "UserManagement"
  | where EventSeverity == "High"
  | where IsHighValueEvent == true
  | summarize
      EventCount = count(),
      FirstSeen = min(PerformedAt),
      LastSeen = max(PerformedAt),
      AffectedUsers = make_set(Subject),
      Actions = make_set(EventType)
    by User, EventCategory
  | extend
      AccountName = tostring(split(User, "@")[0]),
      AccountDomain = tostring(split(User, "@")[1])  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UserManagementHighValue.yaml
tactics:
- Impact
- PrivilegeEscalation
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountDomain
requiredDataConnectors:
- connectorId: ValimailEnforce
  dataTypes:
  - ValimailEnforceEvents_CL
alertDetailsOverride:
  alertDescriptionFormat: |
    User '{{User}}' performed {{EventCount}} high-value user management
    action(s) in Valimail Enforce. Actions: {{Actions}}    
  alertDisplayNameFormat: High-value user management action by {{User}}
relevantTechniques:
- T1531
- T1078
description: |
  This query searches for high-severity user management events such as user deletion or deactivation
  in Valimail Enforce, which may indicate unauthorized access or insider threat.  
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: true
    matchingMethod: Selected
    lookbackDuration: 1d
    groupByEntities:
    - Account
  createIncident: true
name: Valimail Enforce - High-Value User Management Event
version: 1.0.0
kind: Scheduled
id: e960f5b0-cd80-474a-996a-013ff3989772
severity: High