Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Netskope - WebTransaction Error Detection

Back
Id66c4cd4c-d391-47e8-b4e6-93e55d86ca9f
RulenameNetskope - WebTransaction Error Detection
DescriptionRule helps to track error occurred in Netskope WebTransaction Data Connector.
SeverityMedium
TacticsExecution
TechniquesT1204
Required data connectorsNetskopeDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml
Version1.0.0
Arm template66c4cd4c-d391-47e8-b4e6-93e55d86ca9f.json
Deploy To Azure
NetskopeWebtxErrors_CL
|where error_s has_any ("Invalid Netskope Hostname", "Webtx Authentication", "Webtx Token Empty", "Webtx Exponential Backoff", "Webtx Idle Time")
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml
triggerThreshold: 0
severity: Medium
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5m
    enabled: true
    matchingMethod: AnyAlert
    reopenClosedIncident: false
queryFrequency: 5m
status: Available
customDetails:
  Time: TimeGenerated
  ErrorMessage: error_s
relevantTechniques:
- T1204
triggerOperator: GreaterThan
version: 1.0.0
id: 66c4cd4c-d391-47e8-b4e6-93e55d86ca9f
requiredDataConnectors:
- connectorId: NetskopeDataConnector
  dataTypes:
  - NetskopeWebtxErrors_CL
alertDetailsOverride:
  alertDisplayNameFormat: Netskope Error at {{TimeGenerated}}
  alertDescriptionFormat: 'Error Message: {{error_s}}'
name: Netskope - WebTransaction Error Detection
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
    'Rule helps to track error occurred in Netskope WebTransaction Data Connector.'
query: |
  NetskopeWebtxErrors_CL
  |where error_s has_any ("Invalid Netskope Hostname", "Webtx Authentication", "Webtx Token Empty", "Webtx Exponential Backoff", "Webtx Idle Time")  
tactics:
- Execution
queryPeriod: 5m
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/66c4cd4c-d391-47e8-b4e6-93e55d86ca9f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/66c4cd4c-d391-47e8-b4e6-93e55d86ca9f')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Error Message: {{error_s}}",
          "alertDisplayNameFormat": "Netskope Error at {{TimeGenerated}}"
        },
        "alertRuleTemplateName": "66c4cd4c-d391-47e8-b4e6-93e55d86ca9f",
        "customDetails": {
          "ErrorMessage": "error_s",
          "Time": "TimeGenerated"
        },
        "description": "'Rule helps to track error occurred in Netskope WebTransaction Data Connector.'\n",
        "displayName": "Netskope - WebTransaction Error Detection",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT5M",
            "matchingMethod": "AnyAlert",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml",
        "query": "NetskopeWebtxErrors_CL\n|where error_s has_any (\"Invalid Netskope Hostname\", \"Webtx Authentication\", \"Webtx Token Empty\", \"Webtx Exponential Backoff\", \"Webtx Idle Time\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}