Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. D3 Smart SOAR - High or critical severity incident detected

D3 Smart SOAR - High or critical severity incident detected

Back
Id48ef0be4-8240-4a03-bbb9-320b562d6ce4
RulenameD3 Smart SOAR - High or critical severity incident detected
DescriptionIdentifies when a D3 Smart SOAR incident with High or Critical severity is ingested. This helps security teams prioritize response to the most impactful incidents reported by D3 Smart SOAR.
SeverityHigh
TacticsImpact
TechniquesT1499
Required data connectorsD3SOARConnectorDefinition
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/D3SmartSOAR/Analytic Rules/D3SmartSOAR-HighOrCriticalSeverityIncident.yaml
Version1.0.0
Arm template48ef0be4-8240-4a03-bbb9-320b562d6ce4.json
Deploy To Azure
D3SOARIncidents_CL
| where TimeGenerated > ago(1h)
| where IncidentSeverity in ("High", "Critical")
| project
    TimeGenerated,
    IncidentNumber,
    IncidentTitle,
    IncidentSeverity,
    IncidentStatus,
    IncidentType,
    IncidentPriority,
    IncidentOwner,
    IncidentCreator,
    IncidentDescription,
    IncidentStage

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/D3SmartSOAR/Analytic Rules/D3SmartSOAR-HighOrCriticalSeverityIncident.yaml
queryPeriod: 1h
description: |
    Identifies when a D3 Smart SOAR incident with High or Critical severity is ingested. This helps security teams prioritize response to the most impactful incidents reported by D3 Smart SOAR.
triggerThreshold: 0
name: D3 Smart SOAR - High or critical severity incident detected
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: IncidentOwner
kind: Scheduled
requiredDataConnectors:
- connectorId: D3SOARConnectorDefinition
  dataTypes:
  - D3SOARIncidents_CL
queryFrequency: 1h
tactics:
- Impact
id: 48ef0be4-8240-4a03-bbb9-320b562d6ce4
status: Available
version: 1.0.0
query: |
  D3SOARIncidents_CL
  | where TimeGenerated > ago(1h)
  | where IncidentSeverity in ("High", "Critical")
  | project
      TimeGenerated,
      IncidentNumber,
      IncidentTitle,
      IncidentSeverity,
      IncidentStatus,
      IncidentType,
      IncidentPriority,
      IncidentOwner,
      IncidentCreator,
      IncidentDescription,
      IncidentStage  
severity: High
relevantTechniques:
- T1499