SOCRadar Alarm Volume Spike

let baseline = SOCRadar_Alarms_CL
| where TimeGenerated > ago(7d) and TimeGenerated < ago(1h)
| summarize AvgHourly = count() / 168.0;
let recent = SOCRadar_Alarms_CL
| where TimeGenerated > ago(1h)
| summarize RecentCount = count() by AlarmMainType;
recent
| extend BaselineAvg = toscalar(baseline)
| where RecentCount > (BaselineAvg * 3) and RecentCount > 5
| extend SpikeRatio = round(RecentCount / BaselineAvg, 2)
| extend timestamp = now()
| extend AccountName = AlarmMainType

relevantTechniques:
- T1485
- T1567
entityMappings:
- entityType: Malware
  fieldMappings:
  - columnName: AccountName
    identifier: Name
version: 1.0.0
id: 4a7b3c9e-2d15-4e8f-b6a3-9c2e7d5a1b4f
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
    'Detects unusual spikes in SOCRadar alarm volume that may indicate an active campaign, coordinated attack, or data breach. Triggers when alarm count in the last hour exceeds the 7-day hourly average by more than 3x.'
requiredDataConnectors: []
triggerOperator: gt
name: SOCRadar Alarm Volume Spike
tactics:
- Impact
- Exfiltration
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOCRadar/Analytic Rules/SOCRadarAlarmVolumeSpike.yaml
triggerThreshold: 0
queryPeriod: 7d
query: |
  let baseline = SOCRadar_Alarms_CL
  | where TimeGenerated > ago(7d) and TimeGenerated < ago(1h)
  | summarize AvgHourly = count() / 168.0;
  let recent = SOCRadar_Alarms_CL
  | where TimeGenerated > ago(1h)
  | summarize RecentCount = count() by AlarmMainType;
  recent
  | extend BaselineAvg = toscalar(baseline)
  | where RecentCount > (BaselineAvg * 3) and RecentCount > 5
  | extend SpikeRatio = round(RecentCount / BaselineAvg, 2)
  | extend timestamp = now()
  | extend AccountName = AlarmMainType  
status: Available