Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Critical Severity Incident

Critical Severity Incident

Back
Id4f1c9e6e-8b6b-4d2a-9f3e-123456789abc
RulenameCritical Severity Incident
DescriptionTriggers an incident for every Morphisec alert whose attacks severity is critical.
SeverityHigh
TacticsExecution
DefenseEvasion
TechniquesT1059
T1204
Required data connectorsMorphisecCCF
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecCriticalSeverityIncident.yaml
Version1.0.0
Arm template4f1c9e6e-8b6b-4d2a-9f3e-123456789abc.json
Deploy To Azure
MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(10m)
| where attackSeverity == "CRITICAL"
| summarize arg_max(threatMessageArrivalTime, *) by id

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: hostname
- entityType: Process
  fieldMappings:
  - identifier: CommandLine
    columnName: processCommandLine
tactics:
- Execution
- DefenseEvasion
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
  - Morphisec
  connectorId: MorphisecCCF
alertDetailsOverride:
  alertDisplayNameFormat: 'Critical alert detected: {{threatSubType}}'
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    lookbackDuration: 5h
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: 4f1c9e6e-8b6b-4d2a-9f3e-123456789abc
severity: High
eventGroupingSettings:
  aggregationKind: SingleAlert
status: Available
query: |
  MorphisecAlerts_CL
  | where threatMessageArrivalTime >= ago(10m)
  | where attackSeverity == "CRITICAL"
  | summarize arg_max(threatMessageArrivalTime, *) by id  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecCriticalSeverityIncident.yaml
kind: Scheduled
queryPeriod: 10m
version: 1.0.0
name: Critical Severity Incident
queryFrequency: 10m
triggerThreshold: 0
relevantTechniques:
- T1059
- T1204
description: |
    'Triggers an incident for every Morphisec alert whose attacks severity is critical.'
triggerOperator: gt