Radiflow - Unauthorized Command in Operational Device

Back


Id	4d90d485-6d47-417e-80ea-9cf956c1a671
Rulename	Radiflow - Unauthorized Command in Operational Device
Description	Generates an incident when an unauthorized command is detected in the network by Radiflow’s iSID.
Severity	Medium
Tactics	Execution LateralMovement InhibitResponseFunction ImpairProcessControl
Techniques	T0858 T0843 T0816 T0857 T0836 T0855
Required data connectors	RadiflowIsid
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml
Version	1.0.0
Arm template	4d90d485-6d47-417e-80ea-9cf956c1a671.json

KQL

RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where 
    (
        EventClassID in (114, 115, 116, 117, 118, 119, 162)
        or EventMessage has 'Unauthorized'
    )

YAML

queryFrequency: 1h
queryPeriod: 1h
id: 4d90d485-6d47-417e-80ea-9cf956c1a671
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml
tactics:
- Execution
- LateralMovement
- InhibitResponseFunction
- ImpairProcessControl
version: 1.0.0
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByCustomDetails: []
    groupByEntities: []
    reopenClosedIncident: false
    enabled: true
    matchingMethod: AllEntities
    lookbackDuration: 1h
    groupByAlertDetails: []
severity: Medium
description: |
    'Generates an incident when an unauthorized command is detected in the network by Radiflow's iSID.'
entityMappings:
- fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
  - columnName: SourceHostName
    identifier: NetBiosName
  entityType: Host
- fieldMappings:
  - columnName: DestinationHostName
    identifier: HostName
  - columnName: DestinationHostName
    identifier: NetBiosName
  entityType: Host
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: DestinationIP
    identifier: Address
  entityType: IP
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where 
      (
          EventClassID in (114, 115, 116, 117, 118, 119, 162)
          or EventMessage has 'Unauthorized'
      )  
triggerThreshold: 0
suppressionDuration: 5h
kind: Scheduled
triggerOperator: gt
relevantTechniques:
- T0858
- T0843
- T0816
- T0857
- T0836
- T0855
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Radiflow - Unauthorized Command in Operational Device
requiredDataConnectors:
- dataTypes:
  - RadiflowEvent
  connectorId: RadiflowIsid
alertDetailsOverride:
  alertSeverityColumnName: EventSeverity
  alertDisplayNameFormat: Unauthorized Command in Operational Device
  alertDescriptionFormat: "An unauthorized command has been detected. Please check the alert details for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} "
  alertDynamicProperties: []
customDetails:
  SourceHostName: SourceHostName
  SourceType: SourceType
  SourceVLAN: SourceVLAN
  Port: Port
  SourceMAC: SourceMACAddress
  DestinationIP: DestinationIP
  DestinationType: DestinationType
  SourceVendor: SourceVendor
  DestinationHostName: DestinationHostName
  Protocol: Protocol
  DestinationVendor: DestinationVendor
  DestinationMAC: DestinationMACAddress
  SourceIP: SourceIP
status: Available

ARM