Sentinel One - Multiple alerts on host

Back


Id	47e427e6-61bc-4e24-8d16-a12871b9f939
Rulename	Sentinel One - Multiple alerts on host
Description	Detects when multiple alerts received from same host.
Severity	High
Tactics	InitialAccess
Techniques	T1190
Required data connectors	SentinelOne
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneMultipleAlertsOnHost.yaml
Version	1.0.2
Arm template	47e427e6-61bc-4e24-8d16-a12871b9f939.json

KQL

SentinelOne
| where ActivityType == 3608
| extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
| extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
| summarize count() by DstHostname, bin(TimeGenerated, 15m)
| where count_ > 1
| extend HostCustomEntity = DstHostname

YAML

name: Sentinel One - Multiple alerts on host
query: |
  SentinelOne
  | where ActivityType == 3608
  | extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
  | extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
  | summarize count() by DstHostname, bin(TimeGenerated, 15m)
  | where count_ > 1
  | extend HostCustomEntity = DstHostname  
queryFrequency: 1h
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - SentinelOne
  connectorId: SentinelOne
status: Available
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: HostCustomEntity
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneMultipleAlertsOnHost.yaml
description: |
    'Detects when multiple alerts received from same host.'
version: 1.0.2
id: 47e427e6-61bc-4e24-8d16-a12871b9f939
kind: Scheduled
relevantTechniques:
- T1190
severity: High
tactics:
- InitialAccess
queryPeriod: 1h

ARM