Dynatrace Application Security - Attack detection

Back


Id	1b0b2065-8bac-5a00-83c4-1b58f69ac212
Rulename	Dynatrace Application Security - Attack detection
Description	Dynatrace has detected an ongoing attack in your environment.
Severity	High
Tactics	Execution Impact InitialAccess PrivilegeEscalation
Techniques	T1059 T1565 T1190 T1068
Required data connectors	DynatraceAttacks
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_AttackDetection.yaml
Version	1.0.0
Arm template	1b0b2065-8bac-5a00-83c4-1b58f69ac212.json

KQL

DynatraceAttacks
| where State != 'ALLOWLISTED'
| summarize  arg_max(TimeStamp, *) by AttackId

YAML

severity: High
queryFrequency: 1d
triggerOperator: gt
tactics:
- Execution
- Impact
- InitialAccess
- PrivilegeEscalation
suppressionEnabled: false
alertDetailsOverride:
  alertDescriptionFormat: |
        Dynatrace has detected an ongoing attack in your environment which was {{State}}.
  alertDisplayNameFormat: 'Dynatrace Attack {{State}} - {{DisplayId}} : {{DisplayName}}'
customDetails:
  AttackType: AttackType
  DisplayIdentifier: DisplayId
  AttackState: State
  AttackIdentifier: AttackId
query: |
  DynatraceAttacks
  | where State != 'ALLOWLISTED'
  | summarize  arg_max(TimeStamp, *) by AttackId  
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_AttackDetection.yaml
queryPeriod: 1d
status: Available
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: host
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: url
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: sourceIp
version: 1.0.0
name: Dynatrace Application Security - Attack detection
relevantTechniques:
- T1059
- T1565
- T1190
- T1068
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
  - DynatraceAttacks
  connectorId: DynatraceAttacks
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: true
    lookbackDuration: 7d
    enabled: true
  createIncident: true
id: 1b0b2065-8bac-5a00-83c4-1b58f69ac212
description: |
    'Dynatrace has detected an ongoing attack in your environment.'
triggerThreshold: 0

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1b0b2065-8bac-5a00-83c4-1b58f69ac212')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1b0b2065-8bac-5a00-83c4-1b58f69ac212')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Dynatrace Application Security - Attack detection",
        "description": "'Dynatrace has detected an ongoing attack in your environment.'\n",
        "severity": "High",
        "enabled": true,
        "query": "DynatraceAttacks\n| where State != 'ALLOWLISTED'\n| summarize  arg_max(TimeStamp, *) by AttackId\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "Impact",
          "InitialAccess",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1059",
          "T1565",
          "T1190",
          "T1068"
        ],
        "alertRuleTemplateName": "1b0b2065-8bac-5a00-83c4-1b58f69ac212",
        "incidentConfiguration": {
          "groupingConfiguration": {
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": true,
            "lookbackDuration": "P7D",
            "enabled": true
          },
          "createIncident": true
        },
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "Dynatrace Attack {{State}} - {{DisplayId}} : {{DisplayName}}",
          "alertDescriptionFormat": "Dynatrace has detected an ongoing attack in your environment which was {{State}}.\n"
        },
        "customDetails": {
          "AttackState": "State",
          "AttackType": "AttackType",
          "DisplayIdentifier": "DisplayId",
          "AttackIdentifier": "AttackId"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "host",
                "identifier": "HostName"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "columnName": "url",
                "identifier": "Url"
              }
            ],
            "entityType": "URL"
          },
          {
            "fieldMappings": [
              {
                "columnName": "sourceIp",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_AttackDetection.yaml"
      }
    }
  ]
}