Critical Severity Incident

MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(10m)
| where attackSeverity == "CRITICAL"
| summarize arg_max(threatMessageArrivalTime, *) by id

eventGroupingSettings:
  aggregationKind: SingleAlert
triggerThreshold: 0
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: hostname
- entityType: Process
  fieldMappings:
  - identifier: CommandLine
    columnName: processCommandLine
requiredDataConnectors:
- dataTypes:
  - Morphisec
  connectorId: MorphisecCCF
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecCriticalSeverityIncident.yaml
queryFrequency: 10m
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 5h
name: Critical Severity Incident
alertDetailsOverride:
  alertDisplayNameFormat: 'Critical alert detected: {{threatSubType}}'
relevantTechniques:
- T1059
- T1204
status: Available
version: 1.0.0
queryPeriod: 10m
kind: Scheduled
id: 4f1c9e6e-8b6b-4d2a-9f3e-123456789abc
query: |
  MorphisecAlerts_CL
  | where threatMessageArrivalTime >= ago(10m)
  | where attackSeverity == "CRITICAL"
  | summarize arg_max(threatMessageArrivalTime, *) by id  
description: |
    'Triggers an incident for every Morphisec alert whose attacks severity is critical.'
suppressionEnabled: false
suppressionDuration: 5h
triggerOperator: gt
tactics:
- Execution
- DefenseEvasion
severity: High