Radiflow - Unauthorized Command in Operational Device

Back


Id	4d90d485-6d47-417e-80ea-9cf956c1a671
Rulename	Radiflow - Unauthorized Command in Operational Device
Description	Generates an incident when an unauthorized command is detected in the network by Radiflow’s iSID.
Severity	Medium
Tactics	Execution LateralMovement InhibitResponseFunction ImpairProcessControl
Techniques	T0858 T0843 T0816 T0857 T0836 T0855
Required data connectors	RadiflowIsid
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml
Version	1.0.0
Arm template	4d90d485-6d47-417e-80ea-9cf956c1a671.json

KQL

RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where 
    (
        EventClassID in (114, 115, 116, 117, 118, 119, 162)
        or EventMessage has 'Unauthorized'
    )

YAML

relevantTechniques:
- T0858
- T0843
- T0816
- T0857
- T0836
- T0855
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml
severity: Medium
name: Radiflow - Unauthorized Command in Operational Device
status: Available
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 1h
    groupByAlertDetails: []
    groupByCustomDetails: []
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: true
    groupByEntities: []
  createIncident: true
suppressionEnabled: false
version: 1.0.0
kind: Scheduled
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where 
      (
          EventClassID in (114, 115, 116, 117, 118, 119, 162)
          or EventMessage has 'Unauthorized'
      )  
suppressionDuration: 5h
tactics:
- Execution
- LateralMovement
- InhibitResponseFunction
- ImpairProcessControl
id: 4d90d485-6d47-417e-80ea-9cf956c1a671
requiredDataConnectors:
- dataTypes:
  - RadiflowEvent
  connectorId: RadiflowIsid
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 1h
triggerOperator: gt
description: |
    'Generates an incident when an unauthorized command is detected in the network by Radiflow's iSID.'
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
  - columnName: SourceHostName
    identifier: NetBiosName
- entityType: Host
  fieldMappings:
  - columnName: DestinationHostName
    identifier: HostName
  - columnName: DestinationHostName
    identifier: NetBiosName
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: DestinationIP
    identifier: Address
queryPeriod: 1h
alertDetailsOverride:
  alertSeverityColumnName: EventSeverity
  alertDynamicProperties: []
  alertDescriptionFormat: "An unauthorized command has been detected. Please check the alert details for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} "
  alertDisplayNameFormat: Unauthorized Command in Operational Device
customDetails:
  Protocol: Protocol
  SourceIP: SourceIP
  DestinationMAC: DestinationMACAddress
  SourceHostName: SourceHostName
  SourceMAC: SourceMACAddress
  DestinationHostName: DestinationHostName
  Port: Port
  DestinationVendor: DestinationVendor
  DestinationType: DestinationType
  DestinationIP: DestinationIP
  SourceVLAN: SourceVLAN
  SourceVendor: SourceVendor
  SourceType: SourceType

ARM