Sentinel One - Multiple alerts on host

Back


Id	47e427e6-61bc-4e24-8d16-a12871b9f939
Rulename	Sentinel One - Multiple alerts on host
Description	Detects when multiple alerts received from same host.
Severity	High
Tactics	InitialAccess
Techniques	T1190
Required data connectors	SentinelOne
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneMultipleAlertsOnHost.yaml
Version	1.0.2
Arm template	47e427e6-61bc-4e24-8d16-a12871b9f939.json

KQL

SentinelOne
| where ActivityType == 3608
| extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
| extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
| summarize count() by DstHostname, bin(TimeGenerated, 15m)
| where count_ > 1
| extend HostCustomEntity = DstHostname

YAML

description: |
    'Detects when multiple alerts received from same host.'
entityMappings:
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
  entityType: Host
query: |
  SentinelOne
  | where ActivityType == 3608
  | extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
  | extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
  | summarize count() by DstHostname, bin(TimeGenerated, 15m)
  | where count_ > 1
  | extend HostCustomEntity = DstHostname  
tactics:
- InitialAccess
severity: High
triggerThreshold: 0
queryFrequency: 1h
status: Available
queryPeriod: 1h
relevantTechniques:
- T1190
id: 47e427e6-61bc-4e24-8d16-a12871b9f939
name: Sentinel One - Multiple alerts on host
kind: Scheduled
triggerOperator: gt
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneMultipleAlertsOnHost.yaml
requiredDataConnectors:
- dataTypes:
  - SentinelOne
  connectorId: SentinelOne

ARM