Illusive Incidents Analytic Rule
| Id | 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630 |
| Rulename | Illusive Incidents Analytic Rule |
| Description | Create a Microsoft Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Microsoft Sentinel alert. This is done by filtering and processing Illusive Syslog messages. |
| Severity | Medium |
| Tactics | Persistence PrivilegeEscalation DefenseEvasion CredentialAccess LateralMovement |
| Techniques | T1078 T1098 T1548 T1021 |
| Required data connectors | CefAma Illusive illusiveAttackManagementSystemAma |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illusive Platform/Analytic Rules/Illusive_Detection_Query.yaml |
| Version | 1.0.5 |
| Arm template | 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630.json |
CommonSecurityLog
| where DeviceProduct == "illusive"
| extend DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2)
| summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated
| extend Category = extract(@'cat=([^;]+)(\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\;|$)', 1, AdditionalExtensions)
| extend Category = coalesce(column_ifexists("DeviceEventCategory",""),Category)
| where Category == "illusive:alerts"
| extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5
| project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress, DestinationHostName, DestinationUserName, IncidentId, IncidentURL
alertDetailsOverride:
alertDescriptionFormat: |
Illusive Incident {{IncidentId}} generated at {{TimeGenerated}}
alertDisplayNameFormat: |
Illusive Incident: {{IncidentId}}
description: |
'Create a Microsoft Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Microsoft Sentinel alert. This is done by filtering and processing Illusive Syslog messages.'
kind: Scheduled
tactics:
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- CredentialAccess
- LateralMovement
requiredDataConnectors:
- connectorId: Illusive
dataTypes:
- CommonSecurityLog
- connectorId: illusiveAttackManagementSystemAma
dataTypes:
- CommonSecurityLog
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illusive Platform/Analytic Rules/Illusive_Detection_Query.yaml
severity: Medium
name: Illusive Incidents Analytic Rule
customDetails:
HasForensics: HasForensics
IllusiveIncidentId: IncidentId
Account: SourceUserName
triggerThreshold: 0
queryPeriod: 5m
query: |
CommonSecurityLog
| where DeviceProduct == "illusive"
| extend DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2)
| summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated
| extend Category = extract(@'cat=([^;]+)(\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\;|$)', 1, AdditionalExtensions)
| extend Category = coalesce(column_ifexists("DeviceEventCategory",""),Category)
| where Category == "illusive:alerts"
| extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5
| project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress, DestinationHostName, DestinationUserName, IncidentId, IncidentURL
relevantTechniques:
- T1078
- T1098
- T1548
- T1021
id: 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630
queryFrequency: 5m
status: Available
version: 1.0.5
triggerOperator: gt
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceIP
identifier: Address
- entityType: Host
fieldMappings:
- columnName: SourceHostName
identifier: FullName
- entityType: Host
fieldMappings:
- columnName: Computer
identifier: OMSAgentID