Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Dynatrace Application Security - Attack detection

Dynatrace Application Security - Attack detection

Back
Id1b0b2065-8bac-5a00-83c4-1b58f69ac212
RulenameDynatrace Application Security - Attack detection
DescriptionDynatrace has detected an ongoing attack in your environment.
SeverityHigh
TacticsExecution
Impact
InitialAccess
PrivilegeEscalation
TechniquesT1059
T1565
T1190
T1068
Required data connectorsDynatraceAttacks
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_AttackDetection.yaml
Version1.0.1
Arm template1b0b2065-8bac-5a00-83c4-1b58f69ac212.json
Deploy To Azure
DynatraceAttacks
| where State != 'ALLOWLISTED'
| summarize  arg_max(TimeStamp, *) by AttackId

status: Available
triggerOperator: gt
triggerThreshold: 0
name: Dynatrace Application Security - Attack detection
alertDetailsOverride:
  alertDescriptionFormat: |
        Dynatrace has detected an ongoing attack in your environment which was {{State}}.
  alertDisplayNameFormat: 'Dynatrace Attack {{State}} - {{DisplayId}} : {{DisplayName}}'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_AttackDetection.yaml
queryPeriod: 1d
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: host
    identifier: HostName
- entityType: URL
  fieldMappings:
  - columnName: url
    identifier: Url
- entityType: IP
  fieldMappings:
  - columnName: sourceIp
    identifier: Address
queryFrequency: 1d
relevantTechniques:
- T1059
- T1565
- T1190
- T1068
requiredDataConnectors:
- dataTypes:
  - DynatraceAttacks
  connectorId: DynatraceAttacks
kind: Scheduled
customDetails:
  DisplayIdentifier: DisplayId
  AttackIdentifier: AttackId
  AttackType: AttackType
  AttackState: State
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: true
    reopenClosedIncident: true
    lookbackDuration: P7D
  createIncident: true
description: |
    'Dynatrace has detected an ongoing attack in your environment.'
tactics:
- Execution
- Impact
- InitialAccess
- PrivilegeEscalation
query: |
  DynatraceAttacks
  | where State != 'ALLOWLISTED'
  | summarize  arg_max(TimeStamp, *) by AttackId  
id: 1b0b2065-8bac-5a00-83c4-1b58f69ac212
version: 1.0.1

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1b0b2065-8bac-5a00-83c4-1b58f69ac212')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1b0b2065-8bac-5a00-83c4-1b58f69ac212')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Dynatrace has detected an ongoing attack in your environment which was {{State}}.\n",
          "alertDisplayNameFormat": "Dynatrace Attack {{State}} - {{DisplayId}} : {{DisplayName}}"
        },
        "alertRuleTemplateName": "1b0b2065-8bac-5a00-83c4-1b58f69ac212",
        "customDetails": {
          "AttackIdentifier": "AttackId",
          "AttackState": "State",
          "AttackType": "AttackType",
          "DisplayIdentifier": "DisplayId"
        },
        "description": "'Dynatrace has detected an ongoing attack in your environment.'\n",
        "displayName": "Dynatrace Application Security - Attack detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "host",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "sourceIp",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": true
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_AttackDetection.yaml",
        "query": "DynatraceAttacks\n| where State != 'ALLOWLISTED'\n| summarize  arg_max(TimeStamp, *) by AttackId\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "Impact",
          "InitialAccess",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1059",
          "T1068",
          "T1190",
          "T1565"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}