Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Netskope - WebTransaction Error Detection

Back
Id66c4cd4c-d391-47e8-b4e6-93e55d86ca9f
RulenameNetskope - WebTransaction Error Detection
DescriptionRule helps to track error occurred in Netskope WebTransaction Data Connector.
SeverityMedium
TacticsExecution
TechniquesT1204
Required data connectorsNetskopeDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml
Version1.0.0
Arm template66c4cd4c-d391-47e8-b4e6-93e55d86ca9f.json
Deploy To Azure
NetskopeWebtxErrors_CL
|where error_s has_any ("Invalid Netskope Hostname", "Webtx Authentication", "Webtx Token Empty", "Webtx Exponential Backoff", "Webtx Idle Time")
customDetails:
  Time: TimeGenerated
  ErrorMessage: error_s
status: Available
id: 66c4cd4c-d391-47e8-b4e6-93e55d86ca9f
alertDetailsOverride:
  alertDescriptionFormat: 'Error Message: {{error_s}}'
  alertDisplayNameFormat: Netskope Error at {{TimeGenerated}}
query: |
  NetskopeWebtxErrors_CL
  |where error_s has_any ("Invalid Netskope Hostname", "Webtx Authentication", "Webtx Token Empty", "Webtx Exponential Backoff", "Webtx Idle Time")  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml
description: |
    'Rule helps to track error occurred in Netskope WebTransaction Data Connector.'
name: Netskope - WebTransaction Error Detection
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AnyAlert
    reopenClosedIncident: false
    lookbackDuration: 5m
    enabled: true
  createIncident: true
relevantTechniques:
- T1204
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- dataTypes:
  - NetskopeWebtxErrors_CL
  connectorId: NetskopeDataConnector
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
queryPeriod: 5m
version: 1.0.0
kind: Scheduled
tactics:
- Execution
triggerOperator: GreaterThan
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/66c4cd4c-d391-47e8-b4e6-93e55d86ca9f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/66c4cd4c-d391-47e8-b4e6-93e55d86ca9f')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Error Message: {{error_s}}",
          "alertDisplayNameFormat": "Netskope Error at {{TimeGenerated}}"
        },
        "alertRuleTemplateName": "66c4cd4c-d391-47e8-b4e6-93e55d86ca9f",
        "customDetails": {
          "ErrorMessage": "error_s",
          "Time": "TimeGenerated"
        },
        "description": "'Rule helps to track error occurred in Netskope WebTransaction Data Connector.'\n",
        "displayName": "Netskope - WebTransaction Error Detection",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT5M",
            "matchingMethod": "AnyAlert",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml",
        "query": "NetskopeWebtxErrors_CL\n|where error_s has_any (\"Invalid Netskope Hostname\", \"Webtx Authentication\", \"Webtx Token Empty\", \"Webtx Exponential Backoff\", \"Webtx Idle Time\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}