Azure · v-dvedak · Apr 24, 2026 · Mar 17, 2026 · Apr 13, 2026 · Apr 17, 2026
@@ -0,0 +1,49 @@
+{
+  "name": "ValimailEnforceEvents_CL",
+  "Properties": [
+    {
+      "Name": "Subject",
+      "Type": "String"
+    },
+    {
+      "Name": "User",
+      "Type": "String"
+    },
+    {
+      "Name": "EventType",
+      "Type": "String"
+    },
+    {
+      "Name": "EventChange",
+      "Type": "String"
+    },
+    {
+      "Name": "PerformedAt",
+      "Type": "DateTime"
+    },
+    {
+      "Name": "TimeGenerated",
+      "Type": "DateTime"
+    },
+    {
+      "Name": "SourceSystem",
+      "Type": "String"
+    },
+    {
+      "Name": "Computer",
+      "Type": "String"
+    },
+    {
+      "Name": "EventCategory",
+      "Type": "String"
+    },
+    {
+      "Name": "EventSeverity",
+      "Type": "String"
+    },
+    {
+      "Name": "IsHighValueEvent",
+      "Type": "Boolean"
+    }
+  ]
+}
@@ -298,5 +298,6 @@
   "ContrastADRCCF",
   "CheckPointCyberintAlerts",
   "CheckPointCyberintIOC",
-  "D3SOARConnectorDefinition"
-]
+  "D3SOARConnectorDefinition",
+  "ValimailEnforce"
+]
@@ -0,0 +1,62 @@
+id: 483078c6-d029-40f3-931a-30af0032008b
+name: Valimail Enforce - Email Authentication Key Deleted
+description: |
+  This query searches for deletion of SPF delegations or DKIM keys, which are medium-severity events
+  that could degrade email authentication posture for a domain.
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: ValimailEnforce
+    dataTypes:
+      - ValimailEnforceEvents_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
+query: |
+  ValimailEnforceEvents_CL
+  | where EventSeverity == "Medium"
+  | where EventCategory in ("SPFConfiguration", "DKIMConfiguration")
+  | where IsHighValueEvent == true
+  | summarize
+      EventCount = count(),
+      FirstSeen = min(PerformedAt),
+      LastSeen = max(PerformedAt),
+      AffectedDomains = make_set(Subject),
+      Actions = make_set(EventType)
+    by User, EventCategory
+  | extend
+      AccountName = tostring(split(User, "@")[0]),
+      AccountDomain = tostring(split(User, "@")[1]),
+      DomainName = tostring(AffectedDomains[0])
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountDomain
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: DomainName
+alertDetailsOverride:
+  alertDisplayNameFormat: "{{EventCategory}} key deleted on {{EventCount}} domain(s) by {{User}}"
+  alertDescriptionFormat: |
+    User '{{User}}' deleted one or more {{EventCategory}} records affecting
+    domains: {{AffectedDomains}}. This may weaken email authentication posture.
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 1d
+    matchingMethod: Selected
+    groupByEntities:
+      - Account
+version: 1.0.0
+kind: Scheduled
@@ -0,0 +1,62 @@
+id: 44ec1fa4-a502-41ae-879a-3aad3557edce
+name: Valimail Enforce - DMARC Policy Weakened to None
+description: |
+  This query searches for DMARC policies changed to 'none', which disables enforcement
+  and leaves the domain vulnerable to spoofing and phishing attacks.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: ValimailEnforce
+    dataTypes:
+      - ValimailEnforceEvents_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - DefenseEvasion
+  - InitialAccess
+relevantTechniques:
+  - T1566
+  - T1562
+query: |
+  ValimailEnforceEvents_CL
+  | where EventSeverity == "High"
+  | where EventType == "dmarc_policy_set_to_none"
+  | summarize
+      EventCount = count(),
+      FirstSeen = min(PerformedAt),
+      LastSeen = max(PerformedAt),
+      Changes = make_set(EventChange)
+    by Subject, User, EventCategory
+  | extend
+      AccountName = tostring(split(User, "@")[0]),
+      AccountDomain = tostring(split(User, "@")[1]),
+      DomainName = Subject
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountDomain
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: DomainName
+alertDetailsOverride:
+  alertDisplayNameFormat: "DMARC policy set to NONE on domain {{Subject}} by {{User}}"
+  alertDescriptionFormat: |
+    The DMARC policy for domain '{{Subject}}' was set to 'none' by '{{User}}',
+    disabling email authentication enforcement. This may expose the domain to spoofing.
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 1d
+    matchingMethod: Selected
+    groupByEntities:
+      - DNS
+version: 1.0.0
+kind: Scheduled
@@ -0,0 +1,77 @@
+id: 3cbb78d9-81ac-42c9-b3cd-7e6baea7d9ff
+name: Valimail Enforce - Unusual Rate of Configuration Changes or User Additions
+description: |
+  This query searches for a single user performing more than 3 configuration changes or user
+  additions within a 1-hour window on any domain. An unusual burst of changes may
+  indicate a compromised admin account, unauthorized automation, or insider threat.
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: ValimailEnforce
+    dataTypes:
+      - ValimailEnforceEvents_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+  - DefenseEvasion
+  - PrivilegeEscalation
+relevantTechniques:
+  - T1562
+  - T1531
+  - T1078
+query: |
+  let threshold = 3;
+  let timeWindow = 1h;
+  ValimailEnforceEvents_CL
+  | where EventCategory in (
+      "DMARCPolicy",
+      "SPFConfiguration",
+      "DKIMConfiguration",
+      "DomainManagement",
+      "UserManagement"
+    )
+  | summarize
+      ChangeCount       = count(),
+      HighValueCount    = countif(IsHighValueEvent == true),
+      Domains           = make_set(Subject),
+      DomainCount       = dcount(Subject),
+      Actions           = make_set(EventType),
+      Categories        = make_set(EventCategory),
+      FirstSeen         = min(PerformedAt),
+      LastSeen          = max(PerformedAt)
+    by User, bin(PerformedAt, timeWindow)
+  | where ChangeCount > threshold
+  | extend
+      AccountName   = tostring(split(User, "@")[0]),
+      AccountDomain = tostring(split(User, "@")[1]),
+      DomainName    = tostring(Domains[0]),
+      ChangesPerMin = round(todouble(ChangeCount) / 60.0, 2)
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountDomain
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: DomainName
+alertDetailsOverride:
+  alertDisplayNameFormat: "Unusual change rate by {{User}}, {{ChangeCount}} changes in 1h across {{DomainCount}} domain(s)"
+  alertDescriptionFormat: |
+    User '{{User}}' made {{ChangeCount}} configuration changes across {{DomainCount}} domain(s) within one hour.
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 1d
+    matchingMethod: Selected
+    groupByEntities:
+      - Account
+version: 1.0.0
+kind: Scheduled
@@ -0,0 +1,59 @@
+id: e960f5b0-cd80-474a-996a-013ff3989772
+name: Valimail Enforce - High-Value User Management Event
+description: |
+  This query searches for high-severity user management events such as user deletion or deactivation
+  in Valimail Enforce, which may indicate unauthorized access or insider threat.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: ValimailEnforce
+    dataTypes:
+      - ValimailEnforceEvents_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+  - PrivilegeEscalation
+relevantTechniques:
+  - T1531
+  - T1078
+query: |
+  ValimailEnforceEvents_CL
+  | where EventCategory == "UserManagement"
+  | where EventSeverity == "High"
+  | where IsHighValueEvent == true
+  | summarize
+      EventCount = count(),
+      FirstSeen = min(PerformedAt),
+      LastSeen = max(PerformedAt),
+      AffectedUsers = make_set(Subject),
+      Actions = make_set(EventType)
+    by User, EventCategory
+  | extend
+      AccountName = tostring(split(User, "@")[0]),
+      AccountDomain = tostring(split(User, "@")[1])
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountDomain
+alertDetailsOverride:
+  alertDisplayNameFormat: "High-value user management action by {{User}}"
+  alertDescriptionFormat: |
+    User '{{User}}' performed {{EventCount}} high-value user management
+    action(s) in Valimail Enforce. Actions: {{Actions}}
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 1d
+    matchingMethod: Selected
+    groupByEntities:
+      - Account
+version: 1.0.0
+kind: Scheduled
@@ -0,0 +1,55 @@
+{
+  "name": "ValimailEnforceEvents",
+  "apiVersion": "2024-03-11",
+  "location": "[parameters('workspace-location')]",
+  "type": "Microsoft.Insights/dataCollectionRules",
+  "properties": {
+    "dataCollectionEndpointId": "[resourceId(parameters('subscription'), parameters('resourceGroupName'), 'Microsoft.Insights/dataCollectionEndpoints', parameters('workspace'))]",
+    "streamDeclarations": {
+      "Custom-ValimailReporting_API": {
+        "columns": [
+          {
+            "name": "subject",
+            "type": "string"
+          },
+          {
+            "name": "user",
+            "type": "string"
+          },
+          {
+            "name": "event-type",
+            "type": "string"
+          },
+          {
+            "name": "event-change",
+            "type": "string"
+          },
+          {
+            "name": "performed-at",
+            "type": "datetime"
+          }
+        ]
+      }
+    },
+    "destinations": {
+      "logAnalytics": [
+        {
+          "workspaceResourceId": "{{workspaceResourceId}}",
+          "name": "clv2ws1"
+        }
+      ]
+    },
+    "dataFlows": [
+      {
+        "streams": [
+          "Custom-ValimailReporting_API"
+        ],
+        "destinations": [
+          "clv2ws1"
+        ],
+        "transformKql": "source | extend EventTypeNorm = tolower(strcat_delim('_', split(['event-type'], ' '))) | project Subject = subject, User = user, EventType = ['event-type'], EventChange = ['event-change'], PerformedAt = ['performed-at'], TimeGenerated = ['performed-at'], SourceSystem = \"Valimail\", Computer = user, EventCategory = case(EventTypeNorm contains \"user\", \"UserManagement\", EventTypeNorm contains \"dmarc\", \"DMARCPolicy\", EventTypeNorm contains \"spf\", \"SPFConfiguration\", EventTypeNorm contains \"dkim\", \"DKIMConfiguration\", EventTypeNorm contains \"domain\", \"DomainManagement\", EventTypeNorm contains \"service\", \"ServiceManagement\", \"Other\"), EventSeverity = case(EventTypeNorm == \"dmarc_policy_set_to_none\", \"High\", EventTypeNorm == \"user_deleted\", \"High\", EventTypeNorm contains \"deleted\", \"Medium\", EventTypeNorm == \"dmarc_policy_set_to_quarantine\", \"Medium\", EventTypeNorm == \"dmarc_policy_set_to_reject\", \"Low\", EventTypeNorm contains \"added\", \"Low\", \"Informational\"), IsHighValueEvent = EventTypeNorm in (\"user_added\", \"user_deleted\", \"user_deactivated\", \"spf_delegation_started\", \"spf_delegation_stopped\", \"dkim_key_added\", \"dkim_key_deleted\", \"dmarc_policy_set_to_quarantine\", \"dmarc_policy_set_to_reject\", \"dmarc_policy_set_to_none\")",
+        "outputStream": "Custom-ValimailEnforceEvents_CL"
+      }
+    ]
+  }
+}