Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SPF Policy Set to Soft Fail

Back
Id32f4eb88-0d23-4185-8579-f1645412e9de
RulenameSPF Policy Set to Soft Fail
DescriptionSPF Policy Set to Soft Fail
SeverityLow
TacticsInitialAccess
Discovery
TechniquesT1566
T1087
Required data connectorsHVPollingIDAzureFunctions
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/SPFPolicySetToSoftFail.yaml
Version1.0.4
Arm template32f4eb88-0d23-4185-8579-f1645412e9de.json
Deploy To Azure
HackerViewLog_Azure_1_CL | where severity_s == "low" | where progress_status_s == "New" | where status_s != "inactive"  | where issue_name_s == "SPF Policy Set to Soft Fail"
queryPeriod: 5m
status: Available
triggerOperator: gt
queryFrequency: 5m
description: |
    'SPF Policy Set to Soft Fail'
requiredDataConnectors:
- dataTypes:
  - HackerViewLog_Azure_1_CL
  connectorId: HVPollingIDAzureFunctions
suppressionEnabled: false
query: HackerViewLog_Azure_1_CL | where severity_s == "low" | where progress_status_s == "New" | where status_s != "inactive"  | where issue_name_s == "SPF Policy Set to Soft Fail"
severity: Low
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/SPFPolicySetToSoftFail.yaml
tactics:
- InitialAccess
- Discovery
entityMappings:
- fieldMappings:
  - columnName: meta_resolved_ip_s
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: meta_host_s
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: hackerview_link_s
    identifier: Url
  entityType: URL
relevantTechniques:
- T1566
- T1087
eventGroupingSettings:
  aggregationKind: SingleAlert
name: SPF Policy Set to Soft Fail
triggerThreshold: 0
suppressionDuration: 5h
id: 32f4eb88-0d23-4185-8579-f1645412e9de
version: 1.0.4
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/32f4eb88-0d23-4185-8579-f1645412e9de')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/32f4eb88-0d23-4185-8579-f1645412e9de')]",
      "properties": {
        "alertRuleTemplateName": "32f4eb88-0d23-4185-8579-f1645412e9de",
        "customDetails": null,
        "description": "'SPF Policy Set to Soft Fail'\n",
        "displayName": "SPF Policy Set to Soft Fail",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "meta_resolved_ip_s",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "meta_host_s",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "hackerview_link_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/SPFPolicySetToSoftFail.yaml",
        "query": "HackerViewLog_Azure_1_CL | where severity_s == \"low\" | where progress_status_s == \"New\" | where status_s != \"inactive\"  | where issue_name_s == \"SPF Policy Set to Soft Fail\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery",
          "InitialAccess"
        ],
        "techniques": [
          "T1087",
          "T1566"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}