Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Radiflow - Unauthorized Command in Operational Device

Back
Id4d90d485-6d47-417e-80ea-9cf956c1a671
RulenameRadiflow - Unauthorized Command in Operational Device
DescriptionGenerates an incident when an unauthorized command is detected in the network by Radiflow’s iSID.
SeverityMedium
TacticsExecution
LateralMovement
InhibitResponseFunction
ImpairProcessControl
TechniquesT0858
T0843
T0816
T0857
T0836
T0855
Required data connectorsRadiflowIsid
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml
Version1.0.0
Arm template4d90d485-6d47-417e-80ea-9cf956c1a671.json
Deploy To Azure
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where 
    (
        EventClassID in (114, 115, 116, 117, 118, 119, 162)
        or EventMessage has 'Unauthorized'
    )
customDetails:
  DestinationMAC: DestinationMACAddress
  SourceVLAN: SourceVLAN
  Port: Port
  DestinationHostName: DestinationHostName
  SourceIP: SourceIP
  Protocol: Protocol
  SourceHostName: SourceHostName
  DestinationVendor: DestinationVendor
  SourceVendor: SourceVendor
  SourceType: SourceType
  DestinationIP: DestinationIP
  SourceMAC: SourceMACAddress
  DestinationType: DestinationType
id: 4d90d485-6d47-417e-80ea-9cf956c1a671
suppressionDuration: 5h
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml
requiredDataConnectors:
- dataTypes:
  - RadiflowEvent
  connectorId: RadiflowIsid
description: |
    'Generates an incident when an unauthorized command is detected in the network by Radiflow's iSID.'
severity: Medium
queryPeriod: 1h
kind: Scheduled
tactics:
- Execution
- LateralMovement
- InhibitResponseFunction
- ImpairProcessControl
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 1h
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where 
      (
          EventClassID in (114, 115, 116, 117, 118, 119, 162)
          or EventMessage has 'Unauthorized'
      )  
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    groupByAlertDetails: []
    groupByEntities: []
    reopenClosedIncident: false
    groupByCustomDetails: []
    matchingMethod: AllEntities
    lookbackDuration: 1h
  createIncident: true
version: 1.0.0
triggerThreshold: 0
name: Radiflow - Unauthorized Command in Operational Device
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
  - columnName: SourceHostName
    identifier: NetBiosName
- entityType: Host
  fieldMappings:
  - columnName: DestinationHostName
    identifier: HostName
  - columnName: DestinationHostName
    identifier: NetBiosName
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: DestinationIP
    identifier: Address
status: Available
relevantTechniques:
- T0858
- T0843
- T0816
- T0857
- T0836
- T0855
alertDetailsOverride:
  alertDisplayNameFormat: Unauthorized Command in Operational Device
  alertDescriptionFormat: "An unauthorized command has been detected. Please check the alert details for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} "
  alertDynamicProperties: []
  alertSeverityColumnName: EventSeverity
suppressionEnabled: false
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d90d485-6d47-417e-80ea-9cf956c1a671')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d90d485-6d47-417e-80ea-9cf956c1a671')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "An unauthorized command has been detected. Please check the alert details for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} ",
          "alertDisplayNameFormat": "Unauthorized Command in Operational Device",
          "alertDynamicProperties": [],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "4d90d485-6d47-417e-80ea-9cf956c1a671",
        "customDetails": {
          "DestinationHostName": "DestinationHostName",
          "DestinationIP": "DestinationIP",
          "DestinationMAC": "DestinationMACAddress",
          "DestinationType": "DestinationType",
          "DestinationVendor": "DestinationVendor",
          "Port": "Port",
          "Protocol": "Protocol",
          "SourceHostName": "SourceHostName",
          "SourceIP": "SourceIP",
          "SourceMAC": "SourceMACAddress",
          "SourceType": "SourceType",
          "SourceVendor": "SourceVendor",
          "SourceVLAN": "SourceVLAN"
        },
        "description": "'Generates an incident when an unauthorized command is detected in the network by Radiflow's iSID.'\n",
        "displayName": "Radiflow - Unauthorized Command in Operational Device",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "SourceHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DestinationHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml",
        "query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where \n    (\n        EventClassID in (114, 115, 116, 117, 118, 119, 162)\n        or EventMessage has 'Unauthorized'\n    )\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "ImpairProcessControl",
          "InhibitResponseFunction",
          "LateralMovement"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}