Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Sentinel One - Same custom rule triggered on different hosts

Back
Id5586d378-1bce-4d9b-9ac8-e7271c9d5a9a
RulenameSentinel One - Same custom rule triggered on different hosts
DescriptionDetects when same custom rule was triggered on different hosts.
SeverityHigh
TacticsInitialAccess
LateralMovement
TechniquesT1190
T1210
Required data connectorsSentinelOne
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml
Version1.0.2
Arm template5586d378-1bce-4d9b-9ac8-e7271c9d5a9a.json
Deploy To Azure
SentinelOne
| where ActivityType == 3608
| extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
| extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
| summarize hosts = makeset(DstHostname) by RuleName, bin(TimeGenerated, 15m)
| where array_length(hosts) > 1
| extend HostCustomEntity = hosts
relevantTechniques:
- T1190
- T1210
name: Sentinel One - Same custom rule triggered on different hosts
query: |
  SentinelOne
  | where ActivityType == 3608
  | extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
  | extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
  | summarize hosts = makeset(DstHostname) by RuleName, bin(TimeGenerated, 15m)
  | where array_length(hosts) > 1
  | extend HostCustomEntity = hosts  
queryPeriod: 1h
tactics:
- InitialAccess
- LateralMovement
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - SentinelOne
  connectorId: SentinelOne
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
id: 5586d378-1bce-4d9b-9ac8-e7271c9d5a9a
description: |
    'Detects when same custom rule was triggered on different hosts.'
status: Available
queryFrequency: 1h
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml
triggerThreshold: 0
severity: High
version: 1.0.2
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5586d378-1bce-4d9b-9ac8-e7271c9d5a9a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5586d378-1bce-4d9b-9ac8-e7271c9d5a9a')]",
      "properties": {
        "alertRuleTemplateName": "5586d378-1bce-4d9b-9ac8-e7271c9d5a9a",
        "customDetails": null,
        "description": "'Detects when same custom rule was triggered on different hosts.'\n",
        "displayName": "Sentinel One - Same custom rule triggered on different hosts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml",
        "query": "SentinelOne\n| where ActivityType == 3608\n| extend RuleName = extract(@'Custom Rule:\\s(.*?)\\sin Group', 1, EventOriginalMessage)\n| extend DstHostname = extract(@'detected on\\s(\\S+)\\.', 1, EventOriginalMessage)\n| summarize hosts = makeset(DstHostname) by RuleName, bin(TimeGenerated, 15m)\n| where array_length(hosts) > 1\n| extend HostCustomEntity = hosts\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "LateralMovement"
        ],
        "techniques": [
          "T1190",
          "T1210"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}