Illusive Incidents Analytic Rule

CommonSecurityLog
| where DeviceProduct == "illusive"
| extend DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2)
| summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated
| extend Category = extract(@'cat=([^;]+)(\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\;|$)', 1, AdditionalExtensions)
| extend Category = coalesce(column_ifexists("DeviceEventCategory",""),Category)	
| where Category == "illusive:alerts"
| extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5
| project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress,  DestinationHostName, DestinationUserName, IncidentId, IncidentURL

triggerOperator: gt
queryFrequency: 5m
requiredDataConnectors:
- connectorId: Illusive
  dataTypes:
  - CommonSecurityLog
- connectorId: illusiveAttackManagementSystemAma
  dataTypes:
  - CommonSecurityLog
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
relevantTechniques:
- T1078
- T1098
- T1548
- T1021
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIP
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: SourceHostName
- entityType: Host
  fieldMappings:
  - identifier: OMSAgentID
    columnName: Computer
query: |
  CommonSecurityLog
  | where DeviceProduct == "illusive"
  | extend DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2)
  | summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated
  | extend Category = extract(@'cat=([^;]+)(\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\;|$)', 1, AdditionalExtensions)
  | extend Category = coalesce(column_ifexists("DeviceEventCategory",""),Category)	
  | where Category == "illusive:alerts"
  | extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5
  | project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress,  DestinationHostName, DestinationUserName, IncidentId, IncidentURL  
triggerThreshold: 0
customDetails:
  HasForensics: HasForensics
  Account: SourceUserName
  IllusiveIncidentId: IncidentId
alertDetailsOverride:
  alertDisplayNameFormat: |
        Illusive Incident: {{IncidentId}}
  alertDescriptionFormat: |
        Illusive Incident {{IncidentId}} generated at {{TimeGenerated}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illusive Platform/Analytic Rules/Illusive_Detection_Query.yaml
queryPeriod: 5m
name: Illusive Incidents Analytic Rule
status: Available
kind: Scheduled
description: |
    'Create a Microsoft Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Microsoft Sentinel alert. This is done by filtering and processing Illusive Syslog messages.'
id: 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630
version: 1.0.5
eventGroupingSettings:
  aggregationKind: AlertPerResult
tactics:
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- CredentialAccess
- LateralMovement
severity: Medium