Sentinel One - Alert from custom rule

Back


Id	5f37de91-ff2b-45fb-9eda-49e9f76a3942
Rulename	Sentinel One - Alert from custom rule
Description	Detects when alert from custom rule received.
Severity	High
Tactics	InitialAccess
Techniques	T1190
Required data connectors	SentinelOne
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAlertFromCustomRule.yaml
Version	1.0.2
Arm template	5f37de91-ff2b-45fb-9eda-49e9f76a3942.json

KQL

SentinelOne
| where ActivityType == 3608
| extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
| extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
| extend HostCustomEntity = DstHostname

YAML

queryPeriod: 1h
query: |
  SentinelOne
  | where ActivityType == 3608
  | extend RuleName = extract(@'Custom Rule:\s(.*?)\sin Group', 1, EventOriginalMessage)
  | extend DstHostname = extract(@'detected on\s(\S+)\.', 1, EventOriginalMessage)
  | extend HostCustomEntity = DstHostname  
name: Sentinel One - Alert from custom rule
entityMappings:
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
  entityType: Host
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAlertFromCustomRule.yaml
requiredDataConnectors:
- connectorId: SentinelOne
  dataTypes:
  - SentinelOne
description: |
    'Detects when alert from custom rule received.'
kind: Scheduled
version: 1.0.2
status: Available
severity: High
relevantTechniques:
- T1190
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
id: 5f37de91-ff2b-45fb-9eda-49e9f76a3942

ARM