Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Sentinel One - Same custom rule triggered on different hosts

Back
Id5586d378-1bce-4d9b-9ac8-e7271c9d5a9a
RulenameSentinel One - Same custom rule triggered on different hosts
DescriptionDetects when same custom rule was triggered on different hosts.
SeverityHigh
TacticsInitialAccess
LateralMovement
TechniquesT1190
T1210
Required data connectorsSentinelOne
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml
Version1.0.2
Arm template5586d378-1bce-4d9b-9ac8-e7271c9d5a9a.json
Deploy To Azure
SentinelOne
| where ActivityType == 3608
| extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
| extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
| summarize hosts = makeset(DstHostname) by RuleName, bin(TimeGenerated, 15m)
| where array_length(hosts) > 1
| extend HostCustomEntity = hosts
queryPeriod: 1h
version: 1.0.2
tactics:
- InitialAccess
- LateralMovement
queryFrequency: 1h
id: 5586d378-1bce-4d9b-9ac8-e7271c9d5a9a
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - SentinelOne
  connectorId: SentinelOne
severity: High
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
triggerThreshold: 0
relevantTechniques:
- T1190
- T1210
query: |
  SentinelOne
  | where ActivityType == 3608
  | extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
  | extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
  | summarize hosts = makeset(DstHostname) by RuleName, bin(TimeGenerated, 15m)
  | where array_length(hosts) > 1
  | extend HostCustomEntity = hosts  
kind: Scheduled
name: Sentinel One - Same custom rule triggered on different hosts
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml
description: |
    'Detects when same custom rule was triggered on different hosts.'
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5586d378-1bce-4d9b-9ac8-e7271c9d5a9a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5586d378-1bce-4d9b-9ac8-e7271c9d5a9a')]",
      "properties": {
        "alertRuleTemplateName": "5586d378-1bce-4d9b-9ac8-e7271c9d5a9a",
        "customDetails": null,
        "description": "'Detects when same custom rule was triggered on different hosts.'\n",
        "displayName": "Sentinel One - Same custom rule triggered on different hosts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneSameCustomRuleHitOnDiffHosts.yaml",
        "query": "SentinelOne\n| where ActivityType == 3608\n| extend RuleName = extract(@'Custom Rule:\\s(.*?)\\sin Group', 1, EventOriginalMessage)\n| extend DstHostname = extract(@'detected on\\s(\\S+)\\.', 1, EventOriginalMessage)\n| summarize hosts = makeset(DstHostname) by RuleName, bin(TimeGenerated, 15m)\n| where array_length(hosts) > 1\n| extend HostCustomEntity = hosts\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "LateralMovement"
        ],
        "techniques": [
          "T1190",
          "T1210"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}