Illusive Incidents Analytic Rule
| Id | 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630 |
| Rulename | Illusive Incidents Analytic Rule |
| Description | Create a Microsoft Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Microsoft Sentinel alert. This is done by filtering and processing Illusive Syslog messages. |
| Severity | Medium |
| Tactics | Persistence PrivilegeEscalation DefenseEvasion CredentialAccess LateralMovement |
| Techniques | T1078 T1098 T1548 T1021 |
| Required data connectors | CefAma Illusive illusiveAttackManagementSystemAma |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illusive Platform/Analytic Rules/Illusive_Detection_Query.yaml |
| Version | 1.0.5 |
| Arm template | 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630.json |
CommonSecurityLog
| where DeviceProduct == "illusive"
| extend DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2)
| summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated
| extend Category = extract(@'cat=([^;]+)(\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\;|$)', 1, AdditionalExtensions)
| extend Category = coalesce(column_ifexists("DeviceEventCategory",""),Category)
| where Category == "illusive:alerts"
| extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5
| project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress, DestinationHostName, DestinationUserName, IncidentId, IncidentURL
tactics:
- Persistence
- PrivilegeEscalation
- DefenseEvasion
- CredentialAccess
- LateralMovement
id: 1a7dbcf6-21a2-4255-84b2-c8dbbdca4630
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illusive Platform/Analytic Rules/Illusive_Detection_Query.yaml
status: Available
description: |
'Create a Microsoft Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Microsoft Sentinel alert. This is done by filtering and processing Illusive Syslog messages.'
version: 1.0.5
severity: Medium
triggerThreshold: 0
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SourceIP
entityType: IP
- fieldMappings:
- identifier: FullName
columnName: SourceHostName
entityType: Host
- fieldMappings:
- identifier: OMSAgentID
columnName: Computer
entityType: Host
alertDetailsOverride:
alertDisplayNameFormat: |
Illusive Incident: {{IncidentId}}
alertDescriptionFormat: |
Illusive Incident {{IncidentId}} generated at {{TimeGenerated}}
name: Illusive Incidents Analytic Rule
query: |
CommonSecurityLog
| where DeviceProduct == "illusive"
| extend DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2)
| summarize arg_max(TimeGenerated, *) by DeviceCustomNumber2, AdditionalExtensions, TimeGenerated
| extend Category = extract(@'cat=([^;]+)(\;|$)', 1, AdditionalExtensions), HasForensics = extract(@'cs7=([^;]+)(\;|$)', 1, AdditionalExtensions)
| extend Category = coalesce(column_ifexists("DeviceEventCategory",""),Category)
| where Category == "illusive:alerts"
| extend IncidentId = DeviceCustomNumber2, IncidentURL = DeviceCustomString5
| project TimeGenerated, SourceIP, SourceHostName,Computer , DeviceEventClassID ,HasForensics ,SourceUserName, Activity, DeviceAddress, DestinationHostName, DestinationUserName, IncidentId, IncidentURL
kind: Scheduled
queryPeriod: 5m
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 5m
triggerOperator: gt
customDetails:
IllusiveIncidentId: IncidentId
Account: SourceUserName
HasForensics: HasForensics
requiredDataConnectors:
- connectorId: Illusive
dataTypes:
- CommonSecurityLog
- connectorId: illusiveAttackManagementSystemAma
dataTypes:
- CommonSecurityLog
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
relevantTechniques:
- T1078
- T1098
- T1548
- T1021