Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Illusive Incidents Analytic Rule

Back
Id1a7dbcf6-21a2-4255-84b2-c8dbbdca4630
RulenameIllusive Incidents Analytic Rule
DescriptionCreate a Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Sentinel alert. This is done by filtering and processing Illusive Syslog messages.
SeverityMedium
Required data connectorsIllusive
illusiveAttackManagementSystemAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illusive Platform/Analytic Rules/Illusive_Detection_Query.yaml
Version1.0.3
Arm template1a7dbcf6-21a2-4255-84b2-c8dbbdca4630.json
Deploy To Azure
CommonSecurityLog
| where DeviceProduct == "illusive"
| extend DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2)
| summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated
| extend Category = extract(@'cat=([^;]+)(\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\;|$)', 1, AdditionalExtensions)
| extend Category = coalesce(column_ifexists("DeviceEventCategory",""),Category)	
| where Category == "illusive:alerts"
| extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5
| project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress,  DestinationHostName, DestinationUserName, IncidentId, IncidentURL
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illusive Platform/Analytic Rules/Illusive_Detection_Query.yaml
severity: Medium
name: Illusive Incidents Analytic Rule
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: SourceHostName
    identifier: FullName
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: OMSAgentID
queryFrequency: 5m
triggerThreshold: 0
queryPeriod: 5m
description: |
    'Create a Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Sentinel alert. This is done by filtering and processing Illusive Syslog messages.'
id: 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630
customDetails:
  Account: SourceUserName
  IllusiveIncidentId: IncidentId
  HasForensics: HasForensics
version: 1.0.3
triggerOperator: gt
query: |
  CommonSecurityLog
  | where DeviceProduct == "illusive"
  | extend DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2)
  | summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated
  | extend Category = extract(@'cat=([^;]+)(\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\;|$)', 1, AdditionalExtensions)
  | extend Category = coalesce(column_ifexists("DeviceEventCategory",""),Category)	
  | where Category == "illusive:alerts"
  | extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5
  | project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress,  DestinationHostName, DestinationUserName, IncidentId, IncidentURL  
status: Available
kind: Scheduled
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: Illusive
- dataTypes:
  - CommonSecurityLog
  connectorId: illusiveAttackManagementSystemAma
alertDetailsOverride:
  alertDescriptionFormat: |
        Illusive Incident {{IncidentId}} generated at {{TimeGenerated}}
  alertDisplayNameFormat: |
        Illusive Incident: {{IncidentId}}
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1a7dbcf6-21a2-4255-84b2-c8dbbdca4630')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1a7dbcf6-21a2-4255-84b2-c8dbbdca4630')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Illusive Incidents Analytic Rule",
        "description": "'Create a Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Sentinel alert. This is done by filtering and processing Illusive Syslog messages.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "CommonSecurityLog\n| where DeviceProduct == \"illusive\"\n| extend DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2)\n| summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated\n| extend Category = extract(@'cat=([^;]+)(\\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\\;|$)', 1, AdditionalExtensions)\n| extend Category = coalesce(column_ifexists(\"DeviceEventCategory\",\"\"),Category)\t\n| where Category == \"illusive:alerts\"\n| extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5\n| project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress,  DestinationHostName, DestinationUserName, IncidentId, IncidentURL\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "alertRuleTemplateName": "1a7dbcf6-21a2-4255-84b2-c8dbbdca4630",
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "Illusive Incident: {{IncidentId}}\n",
          "alertDescriptionFormat": "Illusive Incident {{IncidentId}} generated at {{TimeGenerated}}\n"
        },
        "customDetails": {
          "Account": "SourceUserName",
          "IllusiveIncidentId": "IncidentId",
          "HasForensics": "HasForensics"
        },
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "SourceIP"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "SourceHostName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "OMSAgentID",
                "columnName": "Computer"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illusive Platform/Analytic Rules/Illusive_Detection_Query.yaml",
        "status": "Available",
        "templateVersion": "1.0.3"
      }
    }
  ]
}