Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Valimail Enforce - High-Value User Management Event

Valimail Enforce - High-Value User Management Event

Back
Ide960f5b0-cd80-474a-996a-013ff3989772
RulenameValimail Enforce - High-Value User Management Event
DescriptionThis query searches for high-severity user management events such as user deletion or deactivation

in Valimail Enforce, which may indicate unauthorized access or insider threat.
SeverityHigh
TacticsImpact
PrivilegeEscalation
TechniquesT1531
T1078
Required data connectorsValimailEnforce
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UserManagementHighValue.yaml
Version1.0.0
Arm templatee960f5b0-cd80-474a-996a-013ff3989772.json
Deploy To Azure
ValimailEnforceEvents_CL
| where EventCategory == "UserManagement"
| where EventSeverity == "High"
| where IsHighValueEvent == true
| summarize
    EventCount = count(),
    FirstSeen = min(PerformedAt),
    LastSeen = max(PerformedAt),
    AffectedUsers = make_set(Subject),
    Actions = make_set(EventType)
  by User, EventCategory
| extend
    AccountName = tostring(split(User, "@")[0]),
    AccountDomain = tostring(split(User, "@")[1])

relevantTechniques:
- T1531
- T1078
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: UPNSuffix
version: 1.0.0
id: e960f5b0-cd80-474a-996a-013ff3989772
severity: High
kind: Scheduled
queryFrequency: 1h
description: |
  This query searches for high-severity user management events such as user deletion or deactivation
  in Valimail Enforce, which may indicate unauthorized access or insider threat.  
requiredDataConnectors:
- connectorId: ValimailEnforce
  dataTypes:
  - ValimailEnforceEvents_CL
triggerOperator: gt
name: Valimail Enforce - High-Value User Management Event
tactics:
- Impact
- PrivilegeEscalation
alertDetailsOverride:
  alertDescriptionFormat: |
    User '{{User}}' performed {{EventCount}} high-value user management
    action(s) in Valimail Enforce. Actions: {{Actions}}    
  alertDisplayNameFormat: High-value user management action by {{User}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UserManagementHighValue.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
  ValimailEnforceEvents_CL
  | where EventCategory == "UserManagement"
  | where EventSeverity == "High"
  | where IsHighValueEvent == true
  | summarize
      EventCount = count(),
      FirstSeen = min(PerformedAt),
      LastSeen = max(PerformedAt),
      AffectedUsers = make_set(Subject),
      Actions = make_set(EventType)
    by User, EventCategory
  | extend
      AccountName = tostring(split(User, "@")[0]),
      AccountDomain = tostring(split(User, "@")[1])  
status: Available
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: Selected
    groupByEntities:
    - Account
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: 1d