Azure-Sentinel/Detections/DuoSecurity/TrustMonitorEvent.yaml

id: 8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182
name: Trust Monitor Event
description: |
  'This query identifies when a new trust monitor event is detected.'  
severity: Medium
requiredDataConnectors: []
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CredentialAccess
query: |
  let timeframe = ago(5m);
  DuoSecurityTrustMonitor_CL
  | where TimeGenerated >= timeframe
  | extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s  
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
version: 1.0.2
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: SecurityJedi
    support:
        tier: Community
    categories:
        domains: [ "Security - Others" ]