Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Radiflow - Unauthorized Command in Operational Device

Back
Id4d90d485-6d47-417e-80ea-9cf956c1a671
RulenameRadiflow - Unauthorized Command in Operational Device
DescriptionGenerates an incident when an unauthorized command is detected in the network by Radiflow’s iSID.
SeverityMedium
TacticsExecution
LateralMovement
InhibitResponseFunction
ImpairProcessControl
TechniquesT0858
T0843
T0816
T0857
T0836
T0855
Required data connectorsRadiflowIsid
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml
Version1.0.0
Arm template4d90d485-6d47-417e-80ea-9cf956c1a671.json
Deploy To Azure
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where 
    (
        EventClassID in (114, 115, 116, 117, 118, 119, 162)
        or EventMessage has 'Unauthorized'
    )
queryPeriod: 1h
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Radiflow - Unauthorized Command in Operational Device
description: |
    'Generates an incident when an unauthorized command is detected in the network by Radiflow's iSID.'
alertDetailsOverride:
  alertSeverityColumnName: EventSeverity
  alertDynamicProperties: []
  alertDescriptionFormat: "An unauthorized command has been detected. Please check the alert details for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} "
  alertDisplayNameFormat: Unauthorized Command in Operational Device
status: Available
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
  - RadiflowEvent
  connectorId: RadiflowIsid
suppressionDuration: 5h
customDetails:
  Protocol: Protocol
  DestinationType: DestinationType
  DestinationHostName: DestinationHostName
  SourceVendor: SourceVendor
  DestinationMAC: DestinationMACAddress
  DestinationVendor: DestinationVendor
  DestinationIP: DestinationIP
  SourceVLAN: SourceVLAN
  SourceIP: SourceIP
  Port: Port
  SourceType: SourceType
  SourceHostName: SourceHostName
  SourceMAC: SourceMACAddress
id: 4d90d485-6d47-417e-80ea-9cf956c1a671
version: 1.0.0
triggerOperator: gt
triggerThreshold: 0
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where 
      (
          EventClassID in (114, 115, 116, 117, 118, 119, 162)
          or EventMessage has 'Unauthorized'
      )  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 1h
    enabled: true
    matchingMethod: AllEntities
    groupByCustomDetails: []
    reopenClosedIncident: false
    groupByAlertDetails: []
    groupByEntities: []
  createIncident: true
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: SourceHostName
  - identifier: NetBiosName
    columnName: SourceHostName
  entityType: Host
- fieldMappings:
  - identifier: HostName
    columnName: DestinationHostName
  - identifier: NetBiosName
    columnName: DestinationHostName
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: DestinationIP
  entityType: IP
tactics:
- Execution
- LateralMovement
- InhibitResponseFunction
- ImpairProcessControl
relevantTechniques:
- T0858
- T0843
- T0816
- T0857
- T0836
- T0855
queryFrequency: 1h
kind: Scheduled
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d90d485-6d47-417e-80ea-9cf956c1a671')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d90d485-6d47-417e-80ea-9cf956c1a671')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "An unauthorized command has been detected. Please check the alert details for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} ",
          "alertDisplayNameFormat": "Unauthorized Command in Operational Device",
          "alertDynamicProperties": [],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "4d90d485-6d47-417e-80ea-9cf956c1a671",
        "customDetails": {
          "DestinationHostName": "DestinationHostName",
          "DestinationIP": "DestinationIP",
          "DestinationMAC": "DestinationMACAddress",
          "DestinationType": "DestinationType",
          "DestinationVendor": "DestinationVendor",
          "Port": "Port",
          "Protocol": "Protocol",
          "SourceHostName": "SourceHostName",
          "SourceIP": "SourceIP",
          "SourceMAC": "SourceMACAddress",
          "SourceType": "SourceType",
          "SourceVendor": "SourceVendor",
          "SourceVLAN": "SourceVLAN"
        },
        "description": "'Generates an incident when an unauthorized command is detected in the network by Radiflow's iSID.'\n",
        "displayName": "Radiflow - Unauthorized Command in Operational Device",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "SourceHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DestinationHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml",
        "query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where \n    (\n        EventClassID in (114, 115, 116, 117, 118, 119, 162)\n        or EventMessage has 'Unauthorized'\n    )\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "ImpairProcessControl",
          "InhibitResponseFunction",
          "LateralMovement"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}