Device Alert Surge

MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(1h)
| where attackSeverity in ("HIGH", "MEDIUM")
| summarize arg_max(threatMessageArrivalTime, *) by id
| summarize AlertCount = dcount(id) by hostname
| where AlertCount >= 5

suppressionEnabled: false
description: |
    'Triggers an incident when a device generates 5 or more Medium or High severity alerts, indicating potential compromise.'
kind: Scheduled
tactics:
- Execution
- DefenseEvasion
requiredDataConnectors:
- connectorId: MorphisecCCF
  dataTypes:
  - Morphisec
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    groupByEntities:
    - Host
    reopenClosedIncident: false
    lookbackDuration: 1h
    matchingMethod: AllEntities
    groupByAlertDetails:
    - DisplayName
  createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecDeviceAlertSurge.yaml
severity: High
name: Device Alert Surge
suppressionDuration: 5h
triggerThreshold: 0
queryPeriod: 1h
query: |
  MorphisecAlerts_CL
  | where threatMessageArrivalTime >= ago(1h)
  | where attackSeverity in ("HIGH", "MEDIUM")
  | summarize arg_max(threatMessageArrivalTime, *) by id
  | summarize AlertCount = dcount(id) by hostname
  | where AlertCount >= 5  
relevantTechniques:
- T1059
- T1204
alertDetailsOverride:
  alertDescriptionFormat: Device {{hostname}} triggered {{AlertCount}} distinct High/Medium alerts within the last hour.
  alertDisplayNameFormat: 'Device alert surge detected: {{hostname}}'
id: 5c8e1f2e-9d6b-4f4a-8f3e-123456789abc
queryFrequency: 1h
status: Available
version: 1.0.0
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: SingleAlert
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: hostname
    identifier: HostName