Device Alert Surge

Back


Id	5c8e1f2e-9d6b-4f4a-8f3e-123456789abc
Rulename	Device Alert Surge
Description	Triggers an incident when a device generates 5 or more Medium or High severity alerts, indicating potential compromise.
Severity	High
Tactics	Execution DefenseEvasion
Techniques	T1059 T1204
Required data connectors	MorphisecCCF
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecDeviceAlertSurge.yaml
Version	1.0.0
Arm template	5c8e1f2e-9d6b-4f4a-8f3e-123456789abc.json

KQL

MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(1h)
| where attackSeverity in ("HIGH", "MEDIUM")
| summarize arg_max(threatMessageArrivalTime, *) by id
| summarize AlertCount = dcount(id) by hostname
| where AlertCount >= 5

YAML

kind: Scheduled
eventGroupingSettings:
  aggregationKind: SingleAlert
suppressionDuration: 5h
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: hostname
    identifier: HostName
description: |
    'Triggers an incident when a device generates 5 or more Medium or High severity alerts, indicating potential compromise.'
severity: High
queryFrequency: 1h
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: 1h
    matchingMethod: AllEntities
    enabled: false
    groupByEntities:
    - Host
    groupByAlertDetails:
    - DisplayName
  createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1059
- T1204
suppressionEnabled: false
status: Available
tactics:
- Execution
- DefenseEvasion
name: Device Alert Surge
id: 5c8e1f2e-9d6b-4f4a-8f3e-123456789abc
query: |
  MorphisecAlerts_CL
  | where threatMessageArrivalTime >= ago(1h)
  | where attackSeverity in ("HIGH", "MEDIUM")
  | summarize arg_max(threatMessageArrivalTime, *) by id
  | summarize AlertCount = dcount(id) by hostname
  | where AlertCount >= 5  
requiredDataConnectors:
- dataTypes:
  - Morphisec
  connectorId: MorphisecCCF
version: 1.0.0
alertDetailsOverride:
  alertDisplayNameFormat: 'Device alert surge detected: {{hostname}}'
  alertDescriptionFormat: Device {{hostname}} triggered {{AlertCount}} distinct High/Medium alerts within the last hour.
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecDeviceAlertSurge.yaml
queryPeriod: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5c8e1f2e-9d6b-4f4a-8f3e-123456789abc')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5c8e1f2e-9d6b-4f4a-8f3e-123456789abc')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Device {{hostname}} triggered {{AlertCount}} distinct High/Medium alerts within the last hour.",
          "alertDisplayNameFormat": "Device alert surge detected: {{hostname}}"
        },
        "alertRuleTemplateName": "5c8e1f2e-9d6b-4f4a-8f3e-123456789abc",
        "customDetails": null,
        "description": "'Triggers an incident when a device generates 5 or more Medium or High severity alerts, indicating potential compromise.'\n",
        "displayName": "Device Alert Surge",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "hostname",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [
              "DisplayName"
            ],
            "groupByEntities": [
              "Host"
            ],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecDeviceAlertSurge.yaml",
        "query": "MorphisecAlerts_CL\n| where threatMessageArrivalTime >= ago(1h)\n| where attackSeverity in (\"HIGH\", \"MEDIUM\")\n| summarize arg_max(threatMessageArrivalTime, *) by id\n| summarize AlertCount = dcount(id) by hostname\n| where AlertCount >= 5\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Execution"
        ],
        "techniques": [
          "T1059",
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}