Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Critical Risks

Back
Id1eebfaf3-40e1-4bc2-9f42-049b7b8ceb60
RulenameCritical Risks
DescriptionThis query searches for all the exploited risks that RidgeBot identified
SeverityHigh
TacticsExecution
InitialAccess
PrivilegeEscalation
TechniquesT1189
T1059
T1053
T1548
Required data connectorsCefAma
RidgeBotDataConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RidgeSecurity/Analytic Rules/RidgeSecurity_Risks.yaml
Version1.0.1
Arm template1eebfaf3-40e1-4bc2-9f42-049b7b8ceb60.json
Deploy To Azure
CommonSecurityLog
| where DeviceVendor == "RidgeSecurity"
| where DeviceEventClassID == "4001"
| order by TimeGenerated desc 
triggerThreshold: 0
requiredDataConnectors:
- connectorId: RidgeBotDataConnector
  dataTypes:
  - CommonSecurityLog
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
severity: High
queryFrequency: 1h
id: 1eebfaf3-40e1-4bc2-9f42-049b7b8ceb60
relevantTechniques:
- T1189
- T1059
- T1053
- T1548
queryPeriod: 1h
name: Critical Risks
status: Available
kind: Scheduled
tactics:
- Execution
- InitialAccess
- PrivilegeEscalation
triggerOperator: gt
version: 1.0.1
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: DeviceVendor
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: Computer
    identifier: Address
description: |
    This query searches for all the exploited risks that RidgeBot identified
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RidgeSecurity/Analytic Rules/RidgeSecurity_Risks.yaml
query: |
  CommonSecurityLog
  | where DeviceVendor == "RidgeSecurity"
  | where DeviceEventClassID == "4001"
  | order by TimeGenerated desc   
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1eebfaf3-40e1-4bc2-9f42-049b7b8ceb60')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1eebfaf3-40e1-4bc2-9f42-049b7b8ceb60')]",
      "properties": {
        "alertRuleTemplateName": "1eebfaf3-40e1-4bc2-9f42-049b7b8ceb60",
        "customDetails": null,
        "description": "This query searches for all the exploited risks that RidgeBot identified\n",
        "displayName": "Critical Risks",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "DeviceVendor",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RidgeSecurity/Analytic Rules/RidgeSecurity_Risks.yaml",
        "query": "CommonSecurityLog\n| where DeviceVendor == \"RidgeSecurity\"\n| where DeviceEventClassID == \"4001\"\n| order by TimeGenerated desc \n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "InitialAccess",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1053",
          "T1059",
          "T1189",
          "T1548"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}