Critical Severity Incident

Back


Id	4f1c9e6e-8b6b-4d2a-9f3e-123456789abc
Rulename	Critical Severity Incident
Description	Triggers an incident for every Morphisec alert whose attacks severity is critical.
Severity	High
Tactics	Execution DefenseEvasion
Techniques	T1059 T1204
Required data connectors	MorphisecCCF
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecCriticalSeverityIncident.yaml
Version	1.0.0
Arm template	4f1c9e6e-8b6b-4d2a-9f3e-123456789abc.json

KQL

MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(10m)
| where attackSeverity == "CRITICAL"
| summarize arg_max(threatMessageArrivalTime, *) by id

YAML

kind: Scheduled
eventGroupingSettings:
  aggregationKind: SingleAlert
suppressionDuration: 5h
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: hostname
    identifier: HostName
- entityType: Process
  fieldMappings:
  - columnName: processCommandLine
    identifier: CommandLine
description: |
    'Triggers an incident for every Morphisec alert whose attacks severity is critical.'
severity: High
queryFrequency: 10m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 5h
    enabled: false
  createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1059
- T1204
suppressionEnabled: false
status: Available
tactics:
- Execution
- DefenseEvasion
name: Critical Severity Incident
id: 4f1c9e6e-8b6b-4d2a-9f3e-123456789abc
query: |
  MorphisecAlerts_CL
  | where threatMessageArrivalTime >= ago(10m)
  | where attackSeverity == "CRITICAL"
  | summarize arg_max(threatMessageArrivalTime, *) by id  
requiredDataConnectors:
- dataTypes:
  - Morphisec
  connectorId: MorphisecCCF
version: 1.0.0
alertDetailsOverride:
  alertDisplayNameFormat: 'Critical alert detected: {{threatSubType}}'
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecCriticalSeverityIncident.yaml
queryPeriod: 10m

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4f1c9e6e-8b6b-4d2a-9f3e-123456789abc')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4f1c9e6e-8b6b-4d2a-9f3e-123456789abc')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "Critical alert detected: {{threatSubType}}"
        },
        "alertRuleTemplateName": "4f1c9e6e-8b6b-4d2a-9f3e-123456789abc",
        "customDetails": null,
        "description": "'Triggers an incident for every Morphisec alert whose attacks severity is critical.'\n",
        "displayName": "Critical Severity Incident",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "hostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "processCommandLine",
                "identifier": "CommandLine"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecCriticalSeverityIncident.yaml",
        "query": "MorphisecAlerts_CL\n| where threatMessageArrivalTime >= ago(10m)\n| where attackSeverity == \"CRITICAL\"\n| summarize arg_max(threatMessageArrivalTime, *) by id\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Execution"
        ],
        "techniques": [
          "T1059",
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}