Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Netskope - WebTransaction Error Detection

Back
Id66c4cd4c-d391-47e8-b4e6-93e55d86ca9f
RulenameNetskope - WebTransaction Error Detection
DescriptionRule helps to track error occurred in Netskope WebTransaction Data Connector.
SeverityMedium
TacticsExecution
TechniquesT1204
Required data connectorsNetskopeDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml
Version1.0.0
Arm template66c4cd4c-d391-47e8-b4e6-93e55d86ca9f.json
Deploy To Azure
NetskopeWebtxErrors_CL
|where error_s has_any ("Invalid Netskope Hostname", "Webtx Authentication", "Webtx Token Empty", "Webtx Exponential Backoff", "Webtx Idle Time")
name: Netskope - WebTransaction Error Detection
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml
queryPeriod: 5m
version: 1.0.0
severity: Medium
id: 66c4cd4c-d391-47e8-b4e6-93e55d86ca9f
triggerOperator: GreaterThan
triggerThreshold: 0
kind: Scheduled
customDetails:
  ErrorMessage: error_s
  Time: TimeGenerated
requiredDataConnectors:
- dataTypes:
  - NetskopeWebtxErrors_CL
  connectorId: NetskopeDataConnector
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1204
description: |
    'Rule helps to track error occurred in Netskope WebTransaction Data Connector.'
alertDetailsOverride:
  alertDescriptionFormat: 'Error Message: {{error_s}}'
  alertDisplayNameFormat: Netskope Error at {{TimeGenerated}}
query: |
  NetskopeWebtxErrors_CL
  |where error_s has_any ("Invalid Netskope Hostname", "Webtx Authentication", "Webtx Token Empty", "Webtx Exponential Backoff", "Webtx Idle Time")  
tactics:
- Execution
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AnyAlert
    lookbackDuration: 5m
    enabled: true
status: Available
queryFrequency: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/66c4cd4c-d391-47e8-b4e6-93e55d86ca9f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/66c4cd4c-d391-47e8-b4e6-93e55d86ca9f')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Error Message: {{error_s}}",
          "alertDisplayNameFormat": "Netskope Error at {{TimeGenerated}}"
        },
        "alertRuleTemplateName": "66c4cd4c-d391-47e8-b4e6-93e55d86ca9f",
        "customDetails": {
          "ErrorMessage": "error_s",
          "Time": "TimeGenerated"
        },
        "description": "'Rule helps to track error occurred in Netskope WebTransaction Data Connector.'\n",
        "displayName": "Netskope - WebTransaction Error Detection",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT5M",
            "matchingMethod": "AnyAlert",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml",
        "query": "NetskopeWebtxErrors_CL\n|where error_s has_any (\"Invalid Netskope Hostname\", \"Webtx Authentication\", \"Webtx Token Empty\", \"Webtx Exponential Backoff\", \"Webtx Idle Time\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}