Netskope - WebTransaction Error Detection

Back


Id	66c4cd4c-d391-47e8-b4e6-93e55d86ca9f
Rulename	Netskope - WebTransaction Error Detection
Description	Rule helps to track error occurred in Netskope WebTransaction Data Connector.
Severity	Medium
Tactics	Execution
Techniques	T1204
Required data connectors	NetskopeDataConnector
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml
Version	1.0.0
Arm template	66c4cd4c-d391-47e8-b4e6-93e55d86ca9f.json

KQL

NetskopeWebtxErrors_CL
|where error_s has_any ("Invalid Netskope Hostname", "Webtx Authentication", "Webtx Token Empty", "Webtx Exponential Backoff", "Webtx Idle Time")

YAML

queryPeriod: 5m
description: |
    'Rule helps to track error occurred in Netskope WebTransaction Data Connector.'
kind: Scheduled
query: |
  NetskopeWebtxErrors_CL
  |where error_s has_any ("Invalid Netskope Hostname", "Webtx Authentication", "Webtx Token Empty", "Webtx Exponential Backoff", "Webtx Idle Time")  
tactics:
- Execution
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    matchingMethod: AnyAlert
    lookbackDuration: 5m
    reopenClosedIncident: false
  createIncident: true
triggerOperator: GreaterThan
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: Netskope Error at {{TimeGenerated}}
  alertDescriptionFormat: 'Error Message: {{error_s}}'
id: 66c4cd4c-d391-47e8-b4e6-93e55d86ca9f
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml
version: 1.0.0
triggerThreshold: 0
customDetails:
  ErrorMessage: error_s
  Time: TimeGenerated
status: Available
relevantTechniques:
- T1204
name: Netskope - WebTransaction Error Detection
severity: Medium
requiredDataConnectors:
- dataTypes:
  - NetskopeWebtxErrors_CL
  connectorId: NetskopeDataConnector
queryFrequency: 5m

ARM