SOCRadar Alarm Volume Spike

let baseline = SOCRadar_Alarms_CL
| where TimeGenerated > ago(7d) and TimeGenerated < ago(1h)
| summarize AvgHourly = count() / 168.0;
let recent = SOCRadar_Alarms_CL
| where TimeGenerated > ago(1h)
| summarize RecentCount = count() by AlarmMainType;
recent
| extend BaselineAvg = toscalar(baseline)
| where RecentCount > (BaselineAvg * 3) and RecentCount > 5
| extend SpikeRatio = round(RecentCount / BaselineAvg, 2)
| extend timestamp = now()
| extend AccountName = AlarmMainType

id: 4a7b3c9e-2d15-4e8f-b6a3-9c2e7d5a1b4f
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOCRadar/Analytic Rules/SOCRadarAlarmVolumeSpike.yaml
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  entityType: Malware
requiredDataConnectors: []
queryFrequency: 1h
queryPeriod: 7d
status: Available
query: |
  let baseline = SOCRadar_Alarms_CL
  | where TimeGenerated > ago(7d) and TimeGenerated < ago(1h)
  | summarize AvgHourly = count() / 168.0;
  let recent = SOCRadar_Alarms_CL
  | where TimeGenerated > ago(1h)
  | summarize RecentCount = count() by AlarmMainType;
  recent
  | extend BaselineAvg = toscalar(baseline)
  | where RecentCount > (BaselineAvg * 3) and RecentCount > 5
  | extend SpikeRatio = round(RecentCount / BaselineAvg, 2)
  | extend timestamp = now()
  | extend AccountName = AlarmMainType  
name: SOCRadar Alarm Volume Spike
kind: Scheduled
tactics:
- Impact
- Exfiltration
severity: Medium
relevantTechniques:
- T1485
- T1567
triggerThreshold: 0
version: 1.0.0
description: |
    'Detects unusual spikes in SOCRadar alarm volume that may indicate an active campaign, coordinated attack, or data breach. Triggers when alarm count in the last hour exceeds the 7-day hourly average by more than 3x.'