Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Radiflow - Unauthorized Command in Operational Device

Back
Id4d90d485-6d47-417e-80ea-9cf956c1a671
RulenameRadiflow - Unauthorized Command in Operational Device
DescriptionGenerates an incident when an unauthorized command is detected in the network by Radiflow’s iSID.
SeverityMedium
TacticsExecution
LateralMovement
InhibitResponseFunction
ImpairProcessControl
TechniquesT0858
T0843
T0816
T0857
T0836
T0855
Required data connectorsRadiflowIsid
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml
Version1.0.0
Arm template4d90d485-6d47-417e-80ea-9cf956c1a671.json
Deploy To Azure
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where 
    (
        EventClassID in (114, 115, 116, 117, 118, 119, 162)
        or EventMessage has 'Unauthorized'
    )
alertDetailsOverride:
  alertDescriptionFormat: "An unauthorized command has been detected. Please check the alert details for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} "
  alertDisplayNameFormat: Unauthorized Command in Operational Device
  alertDynamicProperties: []
  alertSeverityColumnName: EventSeverity
suppressionEnabled: false
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
  - columnName: SourceHostName
    identifier: NetBiosName
- entityType: Host
  fieldMappings:
  - columnName: DestinationHostName
    identifier: HostName
  - columnName: DestinationHostName
    identifier: NetBiosName
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: DestinationIP
    identifier: Address
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where 
      (
          EventClassID in (114, 115, 116, 117, 118, 119, 162)
          or EventMessage has 'Unauthorized'
      )  
relevantTechniques:
- T0858
- T0843
- T0816
- T0857
- T0836
- T0855
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: gt
suppressionDuration: 5h
triggerThreshold: 0
queryPeriod: 1h
customDetails:
  SourceVendor: SourceVendor
  DestinationVendor: DestinationVendor
  DestinationHostName: DestinationHostName
  SourceIP: SourceIP
  DestinationMAC: DestinationMACAddress
  DestinationIP: DestinationIP
  SourceHostName: SourceHostName
  Protocol: Protocol
  SourceMAC: SourceMACAddress
  Port: Port
  SourceType: SourceType
  DestinationType: DestinationType
  SourceVLAN: SourceVLAN
tactics:
- Execution
- LateralMovement
- InhibitResponseFunction
- ImpairProcessControl
id: 4d90d485-6d47-417e-80ea-9cf956c1a671
requiredDataConnectors:
- dataTypes:
  - RadiflowEvent
  connectorId: RadiflowIsid
kind: Scheduled
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: true
    groupByEntities: []
    lookbackDuration: 1h
    groupByCustomDetails: []
    matchingMethod: AllEntities
    groupByAlertDetails: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml
description: |
    'Generates an incident when an unauthorized command is detected in the network by Radiflow's iSID.'
queryFrequency: 1h
name: Radiflow - Unauthorized Command in Operational Device
severity: Medium
version: 1.0.0
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d90d485-6d47-417e-80ea-9cf956c1a671')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d90d485-6d47-417e-80ea-9cf956c1a671')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "An unauthorized command has been detected. Please check the alert details for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} ",
          "alertDisplayNameFormat": "Unauthorized Command in Operational Device",
          "alertDynamicProperties": [],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "4d90d485-6d47-417e-80ea-9cf956c1a671",
        "customDetails": {
          "DestinationHostName": "DestinationHostName",
          "DestinationIP": "DestinationIP",
          "DestinationMAC": "DestinationMACAddress",
          "DestinationType": "DestinationType",
          "DestinationVendor": "DestinationVendor",
          "Port": "Port",
          "Protocol": "Protocol",
          "SourceHostName": "SourceHostName",
          "SourceIP": "SourceIP",
          "SourceMAC": "SourceMACAddress",
          "SourceType": "SourceType",
          "SourceVendor": "SourceVendor",
          "SourceVLAN": "SourceVLAN"
        },
        "description": "'Generates an incident when an unauthorized command is detected in the network by Radiflow's iSID.'\n",
        "displayName": "Radiflow - Unauthorized Command in Operational Device",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "SourceHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DestinationHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedCommandinOperationalDevice.yaml",
        "query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where \n    (\n        EventClassID in (114, 115, 116, 117, 118, 119, 162)\n        or EventMessage has 'Unauthorized'\n    )\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "ImpairProcessControl",
          "InhibitResponseFunction",
          "LateralMovement"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}