Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SPF Policy Set to Soft Fail

SPF Policy Set to Soft Fail

Back
Id32f4eb88-0d23-4185-8579-f1645412e9de
RulenameSPF Policy Set to Soft Fail
DescriptionSPF Policy Set to Soft Fail
SeverityLow
TacticsInitialAccess
Discovery
TechniquesT1566
T1087
Required data connectorsHVPollingIDAzureFunctions
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/SPFPolicySetToSoftFail.yaml
Version1.0.4
Arm template32f4eb88-0d23-4185-8579-f1645412e9de.json
Deploy To Azure
HackerViewLog_Azure_1_CL | where severity_s == "low" | where progress_status_s == "New" | where status_s != "inactive"  | where issue_name_s == "SPF Policy Set to Soft Fail"

triggerOperator: gt
description: |
    'SPF Policy Set to Soft Fail'
suppressionEnabled: false
status: Available
requiredDataConnectors:
- dataTypes:
  - HackerViewLog_Azure_1_CL
  connectorId: HVPollingIDAzureFunctions
kind: Scheduled
eventGroupingSettings:
  aggregationKind: SingleAlert
queryFrequency: 5m
id: 32f4eb88-0d23-4185-8579-f1645412e9de
query: HackerViewLog_Azure_1_CL | where severity_s == "low" | where progress_status_s == "New" | where status_s != "inactive"  | where issue_name_s == "SPF Policy Set to Soft Fail"
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: meta_resolved_ip_s
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: meta_host_s
  entityType: Host
- fieldMappings:
  - identifier: Url
    columnName: hackerview_link_s
  entityType: URL
name: SPF Policy Set to Soft Fail
severity: Low
queryPeriod: 5m
version: 1.0.4
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
relevantTechniques:
- T1566
- T1087
triggerThreshold: 0
suppressionDuration: 5h
tactics:
- InitialAccess
- Discovery
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/SPFPolicySetToSoftFail.yaml

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/32f4eb88-0d23-4185-8579-f1645412e9de')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/32f4eb88-0d23-4185-8579-f1645412e9de')]",
      "properties": {
        "alertRuleTemplateName": "32f4eb88-0d23-4185-8579-f1645412e9de",
        "customDetails": null,
        "description": "'SPF Policy Set to Soft Fail'\n",
        "displayName": "SPF Policy Set to Soft Fail",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "meta_resolved_ip_s",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "meta_host_s",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "hackerview_link_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/SPFPolicySetToSoftFail.yaml",
        "query": "HackerViewLog_Azure_1_CL | where severity_s == \"low\" | where progress_status_s == \"New\" | where status_s != \"inactive\"  | where issue_name_s == \"SPF Policy Set to Soft Fail\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery",
          "InitialAccess"
        ],
        "techniques": [
          "T1087",
          "T1566"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}