Dynatrace Application Security - Attack detection

DynatraceAttacks
| where State != 'ALLOWLISTED'
| summarize  arg_max(TimeStamp, *) by AttackId

status: Available
queryFrequency: 1d
id: 1b0b2065-8bac-5a00-83c4-1b58f69ac212
tactics:
- Execution
- Impact
- InitialAccess
- PrivilegeEscalation
entityMappings:
- fieldMappings:
  - columnName: host
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: url
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: sourceIp
    identifier: Address
  entityType: IP
requiredDataConnectors:
- connectorId: DynatraceAttacks
  dataTypes:
  - DynatraceAttacks
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_AttackDetection.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'Dynatrace Attack {{State}} - {{DisplayId}} : {{DisplayName}}'
  alertDescriptionFormat: |
        Dynatrace has detected an ongoing attack in your environment which was {{State}}.
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  DynatraceAttacks
  | where State != 'ALLOWLISTED'
  | summarize  arg_max(TimeStamp, *) by AttackId  
description: |
    'Dynatrace has detected an ongoing attack in your environment.'
relevantTechniques:
- T1059
- T1565
- T1190
- T1068
customDetails:
  AttackType: AttackType
  AttackState: State
  DisplayIdentifier: DisplayId
  AttackIdentifier: AttackId
triggerThreshold: 0
queryPeriod: 1d
triggerOperator: gt
name: Dynatrace Application Security - Attack detection
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: true
    enabled: true
    lookbackDuration: P7D
  createIncident: true
severity: High
kind: Scheduled
version: 1.0.1