detection.wiki

Detection rules › Kusto

Zscaler - ZPA connections by new user

Status
available
Severity
medium
Time window
14d
Group by
DstUserName
Source
github.com/Azure/Azure-Sentinel

'Detects ZPA connections by new user.'

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1078 Valid Accounts

Rule body kusto

id: 236a7ec1-0120-40f2-a157-c1a72dde8bcb
name: Zscaler - ZPA connections by new user
description: |
  'Detects ZPA connections by new user.'
severity: Medium
status: Available
requiredDataConnectors:
  - connectorId: CustomLogsAma
    datatypes:
      - ZPA_CL
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
relevantTechniques:
  - T1078
query: |
  let listUsers =
  ZPAEvent 
  | where TimeGenerated > ago(14d)
  | where DvcAction == 'open'
  | summarize ListofUsers = make_set(DstUserName) by DstUserName
  | project ListofUsers;
  ZPAEvent
  | where DstUserName !in (listUsers)
  | summarize EventCount = count() by DstUserName
  | project-away EventCount
  | extend AccountCustomEntity = DstUserName
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
version: 1.0.2
kind: Scheduled

Stages and Predicates

Let binding: listUsers

let listUsers = ZPAEvent 
| where TimeGenerated > ago(14d)
| where DvcAction == 'open'
| summarize ListofUsers = make_set(DstUserName) by DstUserName
| project ListofUsers;

Stage 1: source

ZPAEvent

Stage 2: where

| where DstUserName !in (listUsers)

References listUsers (defined above).

Stage 3: summarize

| summarize EventCount = count() by DstUserName

Stage 4: project-away

| project-away EventCount

Stage 5: extend

| extend AccountCustomEntity = DstUserName

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
DstUserNameeqlistUsers

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
DstUserNamesummarize
AccountCustomEntityextend