Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. D3 Smart SOAR - High or critical severity incident detected

D3 Smart SOAR - High or critical severity incident detected

Back
Id48ef0be4-8240-4a03-bbb9-320b562d6ce4
RulenameD3 Smart SOAR - High or critical severity incident detected
DescriptionIdentifies when a D3 Smart SOAR incident with High or Critical severity is ingested. This helps security teams prioritize response to the most impactful incidents reported by D3 Smart SOAR.
SeverityHigh
TacticsImpact
TechniquesT1499
Required data connectorsD3SOARConnectorDefinition
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/D3SmartSOAR/Analytic Rules/D3SmartSOAR-HighOrCriticalSeverityIncident.yaml
Version1.0.0
Arm template48ef0be4-8240-4a03-bbb9-320b562d6ce4.json
Deploy To Azure
D3SOARIncidents_CL
| where TimeGenerated > ago(1h)
| where IncidentSeverity in ("High", "Critical")
| project
    TimeGenerated,
    IncidentNumber,
    IncidentTitle,
    IncidentSeverity,
    IncidentStatus,
    IncidentType,
    IncidentPriority,
    IncidentOwner,
    IncidentCreator,
    IncidentDescription,
    IncidentStage

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: IncidentOwner
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
  - D3SOARIncidents_CL
  connectorId: D3SOARConnectorDefinition
id: 48ef0be4-8240-4a03-bbb9-320b562d6ce4
severity: High
status: Available
query: |
  D3SOARIncidents_CL
  | where TimeGenerated > ago(1h)
  | where IncidentSeverity in ("High", "Critical")
  | project
      TimeGenerated,
      IncidentNumber,
      IncidentTitle,
      IncidentSeverity,
      IncidentStatus,
      IncidentType,
      IncidentPriority,
      IncidentOwner,
      IncidentCreator,
      IncidentDescription,
      IncidentStage  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/D3SmartSOAR/Analytic Rules/D3SmartSOAR-HighOrCriticalSeverityIncident.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.0
name: D3 Smart SOAR - High or critical severity incident detected
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1499
description: |
    Identifies when a D3 Smart SOAR incident with High or Critical severity is ingested. This helps security teams prioritize response to the most impactful incidents reported by D3 Smart SOAR.
triggerOperator: gt