Dynatrace Application Security - Attack detection

Back


Id	1b0b2065-8bac-5a00-83c4-1b58f69ac212
Rulename	Dynatrace Application Security - Attack detection
Description	Dynatrace has detected an ongoing attack in your environment.
Severity	High
Tactics	Execution Impact InitialAccess PrivilegeEscalation
Techniques	T1059 T1565 T1190 T1068
Required data connectors	DynatraceAttacks
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_AttackDetection.yaml
Version	1.0.1
Arm template	1b0b2065-8bac-5a00-83c4-1b58f69ac212.json

KQL

DynatraceAttacks
| where State != 'ALLOWLISTED'
| summarize  arg_max(TimeStamp, *) by AttackId

YAML

queryPeriod: 1d
status: Available
triggerOperator: gt
queryFrequency: 1d
description: |
    'Dynatrace has detected an ongoing attack in your environment.'
requiredDataConnectors:
- dataTypes:
  - DynatraceAttacks
  connectorId: DynatraceAttacks
kind: Scheduled
query: |
  DynatraceAttacks
  | where State != 'ALLOWLISTED'
  | summarize  arg_max(TimeStamp, *) by AttackId  
severity: High
alertDetailsOverride:
  alertDescriptionFormat: |
        Dynatrace has detected an ongoing attack in your environment which was {{State}}.
  alertDisplayNameFormat: 'Dynatrace Attack {{State}} - {{DisplayId}} : {{DisplayName}}'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_AttackDetection.yaml
tactics:
- Execution
- Impact
- InitialAccess
- PrivilegeEscalation
entityMappings:
- fieldMappings:
  - columnName: host
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: url
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: sourceIp
    identifier: Address
  entityType: IP
relevantTechniques:
- T1059
- T1565
- T1190
- T1068
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Dynatrace Application Security - Attack detection
triggerThreshold: 0
id: 1b0b2065-8bac-5a00-83c4-1b58f69ac212
customDetails:
  AttackState: State
  DisplayIdentifier: DisplayId
  AttackType: AttackType
  AttackIdentifier: AttackId
version: 1.0.1
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: true
    lookbackDuration: P7D
    matchingMethod: AllEntities
    enabled: true

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1b0b2065-8bac-5a00-83c4-1b58f69ac212')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1b0b2065-8bac-5a00-83c4-1b58f69ac212')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Dynatrace has detected an ongoing attack in your environment which was {{State}}.\n",
          "alertDisplayNameFormat": "Dynatrace Attack {{State}} - {{DisplayId}} : {{DisplayName}}"
        },
        "alertRuleTemplateName": "1b0b2065-8bac-5a00-83c4-1b58f69ac212",
        "customDetails": {
          "AttackIdentifier": "AttackId",
          "AttackState": "State",
          "AttackType": "AttackType",
          "DisplayIdentifier": "DisplayId"
        },
        "description": "'Dynatrace has detected an ongoing attack in your environment.'\n",
        "displayName": "Dynatrace Application Security - Attack detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "host",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "sourceIp",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": true
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_AttackDetection.yaml",
        "query": "DynatraceAttacks\n| where State != 'ALLOWLISTED'\n| summarize  arg_max(TimeStamp, *) by AttackId\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "Impact",
          "InitialAccess",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1059",
          "T1068",
          "T1190",
          "T1565"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}