detection.wiki

Detection rules › Kusto

Zscaler - Connections by dormant user

Status
available
Severity
high
Time window
14d
Group by
DstUserName
Source
github.com/Azure/Azure-Sentinel

'Detects ZPA connections by dormant user.'

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1078 Valid Accounts

Rule body kusto

id: 66bc77ee-3e45-11ec-9bbc-0242ac130002
name: Zscaler - Connections by dormant user
description: |
  'Detects ZPA connections by dormant user.'
severity: High
status: Available
requiredDataConnectors:
  - connectorId: CustomLogsAma
    datatypes:
      - ZPA_CL
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
relevantTechniques:
  - T1078
query: |
  let dt_lastlogintime = 14d;
  let activeUsers =
  ZPAEvent 
  | where TimeGenerated > ago(dt_lastlogintime)
  | where DvcAction == 'open'
  | summarize lastLoginTime = max(TimeGenerated) by DstUserName
  | summarize makelist(DstUserName);
  ZPAEvent
  | where DstUserName !in~ (activeUsers)
  | summarize EventCount = count() by DstUserName
  | project-away EventCount
  | extend AccountCustomEntity = DstUserName
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
version: 1.0.2
kind: Scheduled

Stages and Predicates

Parameters

let dt_lastlogintime = 14d;

Let binding: activeUsers

let activeUsers = ZPAEvent 
| where TimeGenerated > ago(dt_lastlogintime)
| where DvcAction == 'open'
| summarize lastLoginTime = max(TimeGenerated) by DstUserName
| summarize makelist(DstUserName);

Derived from dt_lastlogintime.

Stage 1: source

ZPAEvent

Stage 2: where

| where DstUserName !in~ (activeUsers)

References activeUsers (defined above).

Stage 3: summarize

| summarize EventCount = count() by DstUserName

Stage 4: project-away

| project-away EventCount

Stage 5: extend

| extend AccountCustomEntity = DstUserName

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
DstUserNameeqactiveUsers

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
DstUserNamesummarize
AccountCustomEntityextend