Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Sentinel One - Same custom rule triggered on different hosts

Back
Id5586d378-1bce-4d9b-9ac8-e7271c9d5a9a
RulenameSentinel One - Same custom rule triggered on different hosts
DescriptionDetects when same custom rule was triggered on different hosts.
SeverityHigh
TacticsInitialAccess
Required data connectorsSentinelOne
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml
Version1.0.1
Arm template5586d378-1bce-4d9b-9ac8-e7271c9d5a9a.json
Deploy To Azure
SentinelOne
| where ActivityType == 3608
| extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
| extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
| summarize hosts = makeset(DstHostname) by RuleName, bin(TimeGenerated, 15m)
| where array_length(hosts) > 1
| extend HostCustomEntity = hosts
triggerOperator: gt
id: 5586d378-1bce-4d9b-9ac8-e7271c9d5a9a
queryFrequency: 1h
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
requiredDataConnectors:
- dataTypes:
  - SentinelOne
  connectorId: SentinelOne
severity: High
triggerThreshold: 0
kind: Scheduled
status: Available
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml
query: |
  SentinelOne
  | where ActivityType == 3608
  | extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
  | extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
  | summarize hosts = makeset(DstHostname) by RuleName, bin(TimeGenerated, 15m)
  | where array_length(hosts) > 1
  | extend HostCustomEntity = hosts  
description: |
    'Detects when same custom rule was triggered on different hosts.'
name: Sentinel One - Same custom rule triggered on different hosts
tactics:
- InitialAccess
version: 1.0.1
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5586d378-1bce-4d9b-9ac8-e7271c9d5a9a')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5586d378-1bce-4d9b-9ac8-e7271c9d5a9a')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Sentinel One - Same custom rule triggered on different hosts",
        "description": "'Detects when same custom rule was triggered on different hosts.'\n",
        "severity": "High",
        "enabled": true,
        "query": "SentinelOne\n| where ActivityType == 3608\n| extend RuleName = extract(@'Custom Rule:\\s(.*?)\\sin Group', 1, EventOriginalMessage)\n| extend DstHostname = extract(@'detected on\\s(\\S+)\\.', 1, EventOriginalMessage)\n| summarize hosts = makeset(DstHostname) by RuleName, bin(TimeGenerated, 15m)\n| where array_length(hosts) > 1\n| extend HostCustomEntity = hosts\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "alertRuleTemplateName": "5586d378-1bce-4d9b-9ac8-e7271c9d5a9a",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "HostCustomEntity"
              }
            ],
            "entityType": "Host"
          }
        ],
        "templateVersion": "1.0.1",
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml"
      }
    }
  ]
}