Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Sentinel One - Same custom rule triggered on different hosts

Back
Id5586d378-1bce-4d9b-9ac8-e7271c9d5a9a
RulenameSentinel One - Same custom rule triggered on different hosts
DescriptionDetects when same custom rule was triggered on different hosts.
SeverityHigh
TacticsInitialAccess
Required data connectorsSentinelOne
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml
Version1.0.1
Arm template5586d378-1bce-4d9b-9ac8-e7271c9d5a9a.json
Deploy To Azure
SentinelOne
| where ActivityType == 3608
| extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
| extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
| summarize hosts = makeset(DstHostname) by RuleName, bin(TimeGenerated, 15m)
| where array_length(hosts) > 1
| extend HostCustomEntity = hosts
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml
description: |
    'Detects when same custom rule was triggered on different hosts.'
triggerOperator: gt
queryPeriod: 1h
requiredDataConnectors:
- dataTypes:
  - SentinelOne
  connectorId: SentinelOne
queryFrequency: 1h
triggerThreshold: 0
tactics:
- InitialAccess
query: |
  SentinelOne
  | where ActivityType == 3608
  | extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
  | extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
  | summarize hosts = makeset(DstHostname) by RuleName, bin(TimeGenerated, 15m)
  | where array_length(hosts) > 1
  | extend HostCustomEntity = hosts  
status: Available
kind: Scheduled
version: 1.0.1
id: 5586d378-1bce-4d9b-9ac8-e7271c9d5a9a
entityMappings:
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
  entityType: Host
name: Sentinel One - Same custom rule triggered on different hosts
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5586d378-1bce-4d9b-9ac8-e7271c9d5a9a')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5586d378-1bce-4d9b-9ac8-e7271c9d5a9a')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Sentinel One - Same custom rule triggered on different hosts",
        "description": "'Detects when same custom rule was triggered on different hosts.'\n",
        "severity": "High",
        "enabled": true,
        "query": "SentinelOne\n| where ActivityType == 3608\n| extend RuleName = extract(@'Custom Rule:\\s(.*?)\\sin Group', 1, EventOriginalMessage)\n| extend DstHostname = extract(@'detected on\\s(\\S+)\\.', 1, EventOriginalMessage)\n| summarize hosts = makeset(DstHostname) by RuleName, bin(TimeGenerated, 15m)\n| where array_length(hosts) > 1\n| extend HostCustomEntity = hosts\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "alertRuleTemplateName": "5586d378-1bce-4d9b-9ac8-e7271c9d5a9a",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml"
      }
    }
  ]
}