Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Radiflow - Unauthorized Command in Operational Device

Back
Id4d90d485-6d47-417e-80ea-9cf956c1a671
RulenameRadiflow - Unauthorized Command in Operational Device
DescriptionGenerates an incident when an unauthorized command is detected in the network by Radiflow’s iSID.
SeverityMedium
TacticsExecution
LateralMovement
InhibitResponseFunction
ImpairProcessControl
TechniquesT0858
T0843
T0816
T0857
T0836
T0855
Required data connectorsRadiflowIsid
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml
Version1.0.0
Arm template4d90d485-6d47-417e-80ea-9cf956c1a671.json
Deploy To Azure
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where 
    (
        EventClassID in (114, 115, 116, 117, 118, 119, 162)
        or EventMessage has 'Unauthorized'
    )
triggerThreshold: 0
alertDetailsOverride:
  alertDisplayNameFormat: Unauthorized Command in Operational Device
  alertDescriptionFormat: "An unauthorized command has been detected. Please check the alert details for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} "
  alertSeverityColumnName: EventSeverity
  alertDynamicProperties: []
suppressionDuration: 5h
requiredDataConnectors:
- connectorId: RadiflowIsid
  dataTypes:
  - RadiflowEvent
severity: Medium
queryFrequency: 1h
id: 4d90d485-6d47-417e-80ea-9cf956c1a671
relevantTechniques:
- T0858
- T0843
- T0816
- T0857
- T0836
- T0855
queryPeriod: 1h
name: Radiflow - Unauthorized Command in Operational Device
status: Available
kind: Scheduled
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByAlertDetails: []
    groupByCustomDetails: []
    matchingMethod: AllEntities
    reopenClosedIncident: false
    groupByEntities: []
    enabled: true
    lookbackDuration: 1h
tactics:
- Execution
- LateralMovement
- InhibitResponseFunction
- ImpairProcessControl
triggerOperator: gt
version: 1.0.0
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
  - columnName: SourceHostName
    identifier: NetBiosName
- entityType: Host
  fieldMappings:
  - columnName: DestinationHostName
    identifier: HostName
  - columnName: DestinationHostName
    identifier: NetBiosName
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: DestinationIP
    identifier: Address
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  DestinationVendor: DestinationVendor
  SourceType: SourceType
  SourceMAC: SourceMACAddress
  SourceVLAN: SourceVLAN
  SourceIP: SourceIP
  Port: Port
  Protocol: Protocol
  DestinationIP: DestinationIP
  DestinationHostName: DestinationHostName
  DestinationMAC: DestinationMACAddress
  SourceVendor: SourceVendor
  DestinationType: DestinationType
  SourceHostName: SourceHostName
description: |
    'Generates an incident when an unauthorized command is detected in the network by Radiflow's iSID.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where 
      (
          EventClassID in (114, 115, 116, 117, 118, 119, 162)
          or EventMessage has 'Unauthorized'
      )  
suppressionEnabled: false
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d90d485-6d47-417e-80ea-9cf956c1a671')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d90d485-6d47-417e-80ea-9cf956c1a671')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "An unauthorized command has been detected. Please check the alert details for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} ",
          "alertDisplayNameFormat": "Unauthorized Command in Operational Device",
          "alertDynamicProperties": [],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "4d90d485-6d47-417e-80ea-9cf956c1a671",
        "customDetails": {
          "DestinationHostName": "DestinationHostName",
          "DestinationIP": "DestinationIP",
          "DestinationMAC": "DestinationMACAddress",
          "DestinationType": "DestinationType",
          "DestinationVendor": "DestinationVendor",
          "Port": "Port",
          "Protocol": "Protocol",
          "SourceHostName": "SourceHostName",
          "SourceIP": "SourceIP",
          "SourceMAC": "SourceMACAddress",
          "SourceType": "SourceType",
          "SourceVendor": "SourceVendor",
          "SourceVLAN": "SourceVLAN"
        },
        "description": "'Generates an incident when an unauthorized command is detected in the network by Radiflow's iSID.'\n",
        "displayName": "Radiflow - Unauthorized Command in Operational Device",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "SourceHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DestinationHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml",
        "query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where \n    (\n        EventClassID in (114, 115, 116, 117, 118, 119, 162)\n        or EventMessage has 'Unauthorized'\n    )\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "ImpairProcessControl",
          "InhibitResponseFunction",
          "LateralMovement"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}