Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Illusive Incidents Analytic Rule

Back
Id1a7dbcf6-21a2-4255-84b2-c8dbbdca4630
RulenameIllusive Incidents Analytic Rule
DescriptionCreate a Microsoft Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Microsoft Sentinel alert. This is done by filtering and processing Illusive Syslog messages.
SeverityMedium
TacticsPersistence
PrivilegeEscalation
DefenseEvasion
CredentialAccess
LateralMovement
TechniquesT1078
T1098
T1548
T1021
Required data connectorsCefAma
Illusive
illusiveAttackManagementSystemAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illusive Platform/Analytic Rules/Illusive_Detection_Query.yaml
Version1.0.5
Arm template1a7dbcf6-21a2-4255-84b2-c8dbbdca4630.json
Deploy To Azure
CommonSecurityLog
| where DeviceProduct == "illusive"
| extend DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2)
| summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated
| extend Category = extract(@'cat=([^;]+)(\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\;|$)', 1, AdditionalExtensions)
| extend Category = coalesce(column_ifexists("DeviceEventCategory",""),Category)	
| where Category == "illusive:alerts"
| extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5
| project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress,  DestinationHostName, DestinationUserName, IncidentId, IncidentURL
id: 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630
tactics:
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- CredentialAccess
- LateralMovement
queryPeriod: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
name: Illusive Incidents Analytic Rule
query: |
  CommonSecurityLog
  | where DeviceProduct == "illusive"
  | extend DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2)
  | summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated
  | extend Category = extract(@'cat=([^;]+)(\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\;|$)', 1, AdditionalExtensions)
  | extend Category = coalesce(column_ifexists("DeviceEventCategory",""),Category)	
  | where Category == "illusive:alerts"
  | extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5
  | project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress,  DestinationHostName, DestinationUserName, IncidentId, IncidentURL  
severity: Medium
customDetails:
  Account: SourceUserName
  IllusiveIncidentId: IncidentId
  HasForensics: HasForensics
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1078
- T1098
- T1548
- T1021
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illusive Platform/Analytic Rules/Illusive_Detection_Query.yaml
queryFrequency: 5m
requiredDataConnectors:
- connectorId: Illusive
  dataTypes:
  - CommonSecurityLog
- connectorId: illusiveAttackManagementSystemAma
  dataTypes:
  - CommonSecurityLog
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
version: 1.0.5
description: |
    'Create a Microsoft Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Microsoft Sentinel alert. This is done by filtering and processing Illusive Syslog messages.'
status: Available
alertDetailsOverride:
  alertDisplayNameFormat: |
        Illusive Incident: {{IncidentId}}
  alertDescriptionFormat: |
        Illusive Incident {{IncidentId}} generated at {{TimeGenerated}}
entityMappings:
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: SourceHostName
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: Computer
    identifier: OMSAgentID
  entityType: Host
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1a7dbcf6-21a2-4255-84b2-c8dbbdca4630')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1a7dbcf6-21a2-4255-84b2-c8dbbdca4630')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Illusive Incident {{IncidentId}} generated at {{TimeGenerated}}\n",
          "alertDisplayNameFormat": "Illusive Incident: {{IncidentId}}\n"
        },
        "alertRuleTemplateName": "1a7dbcf6-21a2-4255-84b2-c8dbbdca4630",
        "customDetails": {
          "Account": "SourceUserName",
          "HasForensics": "HasForensics",
          "IllusiveIncidentId": "IncidentId"
        },
        "description": "'Create a Microsoft Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Microsoft Sentinel alert. This is done by filtering and processing Illusive Syslog messages.'\n",
        "displayName": "Illusive Incidents Analytic Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "OMSAgentID"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illusive Platform/Analytic Rules/Illusive_Detection_Query.yaml",
        "query": "CommonSecurityLog\n| where DeviceProduct == \"illusive\"\n| extend DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2)\n| summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated\n| extend Category = extract(@'cat=([^;]+)(\\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\\;|$)', 1, AdditionalExtensions)\n| extend Category = coalesce(column_ifexists(\"DeviceEventCategory\",\"\"),Category)\t\n| where Category == \"illusive:alerts\"\n| extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5\n| project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress,  DestinationHostName, DestinationUserName, IncidentId, IncidentURL\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "DefenseEvasion",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1021",
          "T1078",
          "T1098",
          "T1548"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}