Sentinel One - Alert from custom rule

Back


Id	5f37de91-ff2b-45fb-9eda-49e9f76a3942
Rulename	Sentinel One - Alert from custom rule
Description	Detects when alert from custom rule received.
Severity	High
Tactics	InitialAccess
Techniques	T1190
Required data connectors	SentinelOne
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAlertFromCustomRule.yaml
Version	1.0.2
Arm template	5f37de91-ff2b-45fb-9eda-49e9f76a3942.json

KQL

SentinelOne
| where ActivityType == 3608
| extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
| extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
| extend HostCustomEntity = DstHostname

YAML

relevantTechniques:
- T1190
name: Sentinel One - Alert from custom rule
requiredDataConnectors:
- dataTypes:
  - SentinelOne
  connectorId: SentinelOne
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: HostCustomEntity
  entityType: Host
triggerThreshold: 0
id: 5f37de91-ff2b-45fb-9eda-49e9f76a3942
tactics:
- InitialAccess
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAlertFromCustomRule.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: High
status: Available
description: |
    'Detects when alert from custom rule received.'
query: |
  SentinelOne
  | where ActivityType == 3608
  | extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
  | extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
  | extend HostCustomEntity = DstHostname  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5f37de91-ff2b-45fb-9eda-49e9f76a3942')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5f37de91-ff2b-45fb-9eda-49e9f76a3942')]",
      "properties": {
        "alertRuleTemplateName": "5f37de91-ff2b-45fb-9eda-49e9f76a3942",
        "customDetails": null,
        "description": "'Detects when alert from custom rule received.'\n",
        "displayName": "Sentinel One - Alert from custom rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAlertFromCustomRule.yaml",
        "query": "SentinelOne\n| where ActivityType == 3608\n| extend RuleName = extract(@'Custom Rule:\\s(.*?)\\sin Group', 1, EventOriginalMessage)\n| extend DstHostname = extract(@'detected on\\s(\\S+)\\.', 1, EventOriginalMessage)\n| extend HostCustomEntity = DstHostname\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}