Detection rules › Kusto
Elevation of Privilege attempt detected
Identifies Elevation of Privilege attempt Azure Firewall IDPS logs.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078 Valid Accounts |
| Credential Access | T1110 Brute Force |
Rule body kusto
id: 7a0f78b3-9a55-4ad0-a56d-b6616fdbff6a
name: Elevation of Privilege attempt detected
description: |
Identifies Elevation of Privilege attempt Azure Firewall IDPS logs.
severity: High
status: Available
requiredDataConnectors:
- connectorId: AzureFirewall
dataTypes:
- AZFWIdpsSignature
queryFrequency: 1h
queryPeriod: 24h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- CredentialAccess
relevantTechniques:
- T1078
- T1110
query: |
let TimeWindow = 90d; // How far back to look
let HitThreshold = 10; // Minimum hits to alert per SourceIp + Category
let MinSeverity = 1; // Set Minimum Severity
// Feature flags for optional filters
let EnableCategoryFilter = true; // Filter 1
let EnableDescriptionFilter = false; // Filter 2
let EnableActionFilter = false; // Filter 3
// Filter 1: Categories of interest
let CategoriesOfInterest = dynamic([
"Attempted User Privilege Gain",
"Unsuccessful User Privilege Gain",
"Successful User Privilege Gain",
"Attempted Administrator Privilege Gain",
"Successful Administrator Privilege Gain"
]);
// Filter 2: Descriptions of interest
let DescriptionsOfInterest = dynamic([
"attempted-user",
"unsuccessful-user",
"successful-user",
"attempted-admin",
"successful-admin"
]);
// Filter 3: Action match
let MatchActions = dynamic(["Deny", "alert"]);
AZFWIdpsSignature
| where TimeGenerated >= ago(TimeWindow)
| where Severity >= MinSeverity
// Filter 1: Category filter (optional)
| where (EnableCategoryFilter == false) or (Category has_any (CategoriesOfInterest))
// Filter 2: Description filter (optional)
| where (EnableDescriptionFilter == false) or (Description has_any (DescriptionsOfInterest))
// Filter 3: Action filter (optional)
| where (EnableActionFilter == false) or (Action in~ (MatchActions))
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
TotalHits = count(),
MaxSeverity = max(Severity),
Actions = make_set(Action, 5),
Signatures = make_set(SignatureId, 20),
Description = make_set(substring(tostring(Description), 0, 120), 3)
by SourceIp, ThreatCategory = Category
| where TotalHits >= HitThreshold
| project
StartTime,
EndTime,
SourceIp,
ThreatCategory,
TotalHits,
MaxSeverity,
Actions,
Signatures,
Description
| order by MaxSeverity desc, TotalHits desc
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIp
version: 1.0.1
kind: Scheduled
Stages and Predicates
Parameters
let TimeWindow = 90d;
let HitThreshold = 10;
let MinSeverity = 1;
let EnableCategoryFilter = true;
let EnableDescriptionFilter = false;
let EnableActionFilter = false;
let MatchActions = dynamic(["Deny", "alert"]);
Let binding: CategoriesOfInterest
let CategoriesOfInterest = dynamic([
"Attempted User Privilege Gain",
"Unsuccessful User Privilege Gain",
"Successful User Privilege Gain",
"Attempted Administrator Privilege Gain",
"Successful Administrator Privilege Gain"
]);
Let binding: DescriptionsOfInterest
let DescriptionsOfInterest = dynamic([
"attempted-user",
"unsuccessful-user",
"successful-user",
"attempted-admin",
"successful-admin"
]);
Stage 1: source
AZFWIdpsSignature
Stage 2: where
| where TimeGenerated >= ago(TimeWindow)
Stage 3: where
| where Severity >= MinSeverity
Stage 4: where
| where (EnableCategoryFilter == false) or (Category has_any (CategoriesOfInterest))
References CategoriesOfInterest (defined above).
Stage 5: where
| where (EnableDescriptionFilter == false) or (Description has_any (DescriptionsOfInterest))
References DescriptionsOfInterest (defined above).
Stage 6: where
| where (EnableActionFilter == false) or (Action in~ (MatchActions))
Stage 7: summarize
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
TotalHits = count(),
MaxSeverity = max(Severity),
Actions = make_set(Action, 5),
Signatures = make_set(SignatureId, 20),
Description = make_set(substring(tostring(Description), 0, 120), 3)
by SourceIp, ThreatCategory = Category
Stage 8: where
| where TotalHits >= HitThreshold
Stage 9: project
| project
StartTime,
EndTime,
SourceIp,
ThreatCategory,
TotalHits,
MaxSeverity,
Actions,
Signatures,
Description
Stage 10: sort
| order by MaxSeverity desc, TotalHits desc
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Action | in |
|
Category | match |
|
Description | match |
|
Severity | ge |
|
TotalHits | ge |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
Actions | project |
Description | project |
EndTime | project |
MaxSeverity | project |
Signatures | project |
SourceIp | project |
StartTime | project |
ThreatCategory | project |
TotalHits | project |