Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Radiflow - Unauthorized Command in Operational Device

Back
Id4d90d485-6d47-417e-80ea-9cf956c1a671
RulenameRadiflow - Unauthorized Command in Operational Device
DescriptionGenerates an incident when an unauthorized command is detected in the network by Radiflow’s iSID.
SeverityMedium
TacticsExecution
LateralMovement
InhibitResponseFunction
ImpairProcessControl
TechniquesT0858
T0843
T0816
T0857
T0836
T0855
Required data connectorsRadiflowIsid
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml
Version1.0.0
Arm template4d90d485-6d47-417e-80ea-9cf956c1a671.json
Deploy To Azure
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where 
    (
        EventClassID in (114, 115, 116, 117, 118, 119, 162)
        or EventMessage has 'Unauthorized'
    )
kind: Scheduled
queryPeriod: 1h
customDetails:
  Port: Port
  DestinationVendor: DestinationVendor
  DestinationMAC: DestinationMACAddress
  SourceVLAN: SourceVLAN
  DestinationHostName: DestinationHostName
  SourceMAC: SourceMACAddress
  SourceHostName: SourceHostName
  Protocol: Protocol
  SourceVendor: SourceVendor
  SourceType: SourceType
  DestinationType: DestinationType
  DestinationIP: DestinationIP
  SourceIP: SourceIP
relevantTechniques:
- T0858
- T0843
- T0816
- T0857
- T0836
- T0855
suppressionDuration: 5h
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
  - RadiflowEvent
  connectorId: RadiflowIsid
queryFrequency: 1h
tactics:
- Execution
- LateralMovement
- InhibitResponseFunction
- ImpairProcessControl
id: 4d90d485-6d47-417e-80ea-9cf956c1a671
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where 
      (
          EventClassID in (114, 115, 116, 117, 118, 119, 162)
          or EventMessage has 'Unauthorized'
      )  
incidentConfiguration:
  groupingConfiguration:
    groupByAlertDetails: []
    groupByEntities: []
    groupByCustomDetails: []
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 1h
    matchingMethod: AllEntities
  createIncident: true
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SourceHostName
  - identifier: NetBiosName
    columnName: SourceHostName
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DestinationHostName
  - identifier: NetBiosName
    columnName: DestinationHostName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIP
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DestinationIP
triggerOperator: gt
triggerThreshold: 0
alertDetailsOverride:
  alertDescriptionFormat: "An unauthorized command has been detected. Please check the alert details for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} "
  alertDisplayNameFormat: Unauthorized Command in Operational Device
  alertDynamicProperties: []
  alertSeverityColumnName: EventSeverity
suppressionEnabled: false
severity: Medium
name: Radiflow - Unauthorized Command in Operational Device
version: 1.0.0
description: |
    'Generates an incident when an unauthorized command is detected in the network by Radiflow's iSID.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d90d485-6d47-417e-80ea-9cf956c1a671')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d90d485-6d47-417e-80ea-9cf956c1a671')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "An unauthorized command has been detected. Please check the alert details for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} ",
          "alertDisplayNameFormat": "Unauthorized Command in Operational Device",
          "alertDynamicProperties": [],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "4d90d485-6d47-417e-80ea-9cf956c1a671",
        "customDetails": {
          "DestinationHostName": "DestinationHostName",
          "DestinationIP": "DestinationIP",
          "DestinationMAC": "DestinationMACAddress",
          "DestinationType": "DestinationType",
          "DestinationVendor": "DestinationVendor",
          "Port": "Port",
          "Protocol": "Protocol",
          "SourceHostName": "SourceHostName",
          "SourceIP": "SourceIP",
          "SourceMAC": "SourceMACAddress",
          "SourceType": "SourceType",
          "SourceVendor": "SourceVendor",
          "SourceVLAN": "SourceVLAN"
        },
        "description": "'Generates an incident when an unauthorized command is detected in the network by Radiflow's iSID.'\n",
        "displayName": "Radiflow - Unauthorized Command in Operational Device",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "SourceHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DestinationHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml",
        "query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where \n    (\n        EventClassID in (114, 115, 116, 117, 118, 119, 162)\n        or EventMessage has 'Unauthorized'\n    )\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "ImpairProcessControl",
          "InhibitResponseFunction",
          "LateralMovement"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}