Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Illusive Incidents Analytic Rule

Back
Id1a7dbcf6-21a2-4255-84b2-c8dbbdca4630
RulenameIllusive Incidents Analytic Rule
DescriptionCreate a Microsoft Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Microsoft Sentinel alert. This is done by filtering and processing Illusive Syslog messages.
SeverityMedium
TacticsPersistence
PrivilegeEscalation
DefenseEvasion
CredentialAccess
LateralMovement
TechniquesT1078
T1098
T1548
T1021
Required data connectorsCefAma
Illusive
illusiveAttackManagementSystemAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illusive Platform/Analytic Rules/Illusive_Detection_Query.yaml
Version1.0.5
Arm template1a7dbcf6-21a2-4255-84b2-c8dbbdca4630.json
Deploy To Azure
CommonSecurityLog
| where DeviceProduct == "illusive"
| extend DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2)
| summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated
| extend Category = extract(@'cat=([^;]+)(\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\;|$)', 1, AdditionalExtensions)
| extend Category = coalesce(column_ifexists("DeviceEventCategory",""),Category)	
| where Category == "illusive:alerts"
| extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5
| project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress,  DestinationHostName, DestinationUserName, IncidentId, IncidentURL
description: |
    'Create a Microsoft Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Microsoft Sentinel alert. This is done by filtering and processing Illusive Syslog messages.'
alertDetailsOverride:
  alertDescriptionFormat: |
        Illusive Incident {{IncidentId}} generated at {{TimeGenerated}}
  alertDisplayNameFormat: |
        Illusive Incident: {{IncidentId}}
status: Available
queryPeriod: 5m
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illusive Platform/Analytic Rules/Illusive_Detection_Query.yaml
id: 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630
kind: Scheduled
requiredDataConnectors:
- connectorId: Illusive
  dataTypes:
  - CommonSecurityLog
- connectorId: illusiveAttackManagementSystemAma
  dataTypes:
  - CommonSecurityLog
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
tactics:
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- CredentialAccess
- LateralMovement
severity: Medium
triggerOperator: gt
version: 1.0.5
query: |
  CommonSecurityLog
  | where DeviceProduct == "illusive"
  | extend DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2)
  | summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated
  | extend Category = extract(@'cat=([^;]+)(\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\;|$)', 1, AdditionalExtensions)
  | extend Category = coalesce(column_ifexists("DeviceEventCategory",""),Category)	
  | where Category == "illusive:alerts"
  | extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5
  | project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress,  DestinationHostName, DestinationUserName, IncidentId, IncidentURL  
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Illusive Incidents Analytic Rule
queryFrequency: 5m
customDetails:
  HasForensics: HasForensics
  Account: SourceUserName
  IllusiveIncidentId: IncidentId
relevantTechniques:
- T1078
- T1098
- T1548
- T1021
entityMappings:
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: SourceHostName
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: Computer
    identifier: OMSAgentID
  entityType: Host
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1a7dbcf6-21a2-4255-84b2-c8dbbdca4630')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1a7dbcf6-21a2-4255-84b2-c8dbbdca4630')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Illusive Incident {{IncidentId}} generated at {{TimeGenerated}}\n",
          "alertDisplayNameFormat": "Illusive Incident: {{IncidentId}}\n"
        },
        "alertRuleTemplateName": "1a7dbcf6-21a2-4255-84b2-c8dbbdca4630",
        "customDetails": {
          "Account": "SourceUserName",
          "HasForensics": "HasForensics",
          "IllusiveIncidentId": "IncidentId"
        },
        "description": "'Create a Microsoft Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Microsoft Sentinel alert. This is done by filtering and processing Illusive Syslog messages.'\n",
        "displayName": "Illusive Incidents Analytic Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "OMSAgentID"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illusive Platform/Analytic Rules/Illusive_Detection_Query.yaml",
        "query": "CommonSecurityLog\n| where DeviceProduct == \"illusive\"\n| extend DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2)\n| summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated\n| extend Category = extract(@'cat=([^;]+)(\\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\\;|$)', 1, AdditionalExtensions)\n| extend Category = coalesce(column_ifexists(\"DeviceEventCategory\",\"\"),Category)\t\n| where Category == \"illusive:alerts\"\n| extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5\n| project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress,  DestinationHostName, DestinationUserName, IncidentId, IncidentURL\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "DefenseEvasion",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1021",
          "T1078",
          "T1098",
          "T1548"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}