Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. D3 Smart SOAR - High or critical severity incident detected

D3 Smart SOAR - High or critical severity incident detected

Back
Id48ef0be4-8240-4a03-bbb9-320b562d6ce4
RulenameD3 Smart SOAR - High or critical severity incident detected
DescriptionIdentifies when a D3 Smart SOAR incident with High or Critical severity is ingested. This helps security teams prioritize response to the most impactful incidents reported by D3 Smart SOAR.
SeverityHigh
TacticsImpact
TechniquesT1499
Required data connectorsD3SOARConnectorDefinition
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/D3SmartSOAR/Analytic Rules/D3SmartSOAR-HighOrCriticalSeverityIncident.yaml
Version1.0.0
Arm template48ef0be4-8240-4a03-bbb9-320b562d6ce4.json
Deploy To Azure
D3SOARIncidents_CL
| where TimeGenerated > ago(1h)
| where IncidentSeverity in ("High", "Critical")
| project
    TimeGenerated,
    IncidentNumber,
    IncidentTitle,
    IncidentSeverity,
    IncidentStatus,
    IncidentType,
    IncidentPriority,
    IncidentOwner,
    IncidentCreator,
    IncidentDescription,
    IncidentStage

entityMappings:
- fieldMappings:
  - columnName: IncidentOwner
    identifier: Name
  entityType: Account
triggerOperator: gt
tactics:
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/D3SmartSOAR/Analytic Rules/D3SmartSOAR-HighOrCriticalSeverityIncident.yaml
version: 1.0.0
query: |
  D3SOARIncidents_CL
  | where TimeGenerated > ago(1h)
  | where IncidentSeverity in ("High", "Critical")
  | project
      TimeGenerated,
      IncidentNumber,
      IncidentTitle,
      IncidentSeverity,
      IncidentStatus,
      IncidentType,
      IncidentPriority,
      IncidentOwner,
      IncidentCreator,
      IncidentDescription,
      IncidentStage  
triggerThreshold: 0
relevantTechniques:
- T1499
queryPeriod: 1h
status: Available
severity: High
kind: Scheduled
name: D3 Smart SOAR - High or critical severity incident detected
queryFrequency: 1h
id: 48ef0be4-8240-4a03-bbb9-320b562d6ce4
description: |
    Identifies when a D3 Smart SOAR incident with High or Critical severity is ingested. This helps security teams prioritize response to the most impactful incidents reported by D3 Smart SOAR.
requiredDataConnectors:
- dataTypes:
  - D3SOARIncidents_CL
  connectorId: D3SOARConnectorDefinition