Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Netskope - WebTransaction Error Detection

Back
Id66c4cd4c-d391-47e8-b4e6-93e55d86ca9f
RulenameNetskope - WebTransaction Error Detection
DescriptionRule helps to track error occurred in Netskope WebTransaction Data Connector.
SeverityMedium
TacticsExecution
TechniquesT1204
Required data connectorsNetskopeDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml
Version1.0.0
Arm template66c4cd4c-d391-47e8-b4e6-93e55d86ca9f.json
Deploy To Azure
NetskopeWebtxErrors_CL
|where error_s has_any ("Invalid Netskope Hostname", "Webtx Authentication", "Webtx Token Empty", "Webtx Exponential Backoff", "Webtx Idle Time")
id: 66c4cd4c-d391-47e8-b4e6-93e55d86ca9f
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml
description: |
    'Rule helps to track error occurred in Netskope WebTransaction Data Connector.'
version: 1.0.0
name: Netskope - WebTransaction Error Detection
query: |
  NetskopeWebtxErrors_CL
  |where error_s has_any ("Invalid Netskope Hostname", "Webtx Authentication", "Webtx Token Empty", "Webtx Exponential Backoff", "Webtx Idle Time")  
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5m
    reopenClosedIncident: false
    matchingMethod: AnyAlert
    enabled: true
tactics:
- Execution
status: Available
relevantTechniques:
- T1204
queryFrequency: 5m
customDetails:
  Time: TimeGenerated
  ErrorMessage: error_s
alertDetailsOverride:
  alertDisplayNameFormat: Netskope Error at {{TimeGenerated}}
  alertDescriptionFormat: 'Error Message: {{error_s}}'
triggerOperator: GreaterThan
queryPeriod: 5m
kind: Scheduled
severity: Medium
requiredDataConnectors:
- dataTypes:
  - NetskopeWebtxErrors_CL
  connectorId: NetskopeDataConnector
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/66c4cd4c-d391-47e8-b4e6-93e55d86ca9f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/66c4cd4c-d391-47e8-b4e6-93e55d86ca9f')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Error Message: {{error_s}}",
          "alertDisplayNameFormat": "Netskope Error at {{TimeGenerated}}"
        },
        "alertRuleTemplateName": "66c4cd4c-d391-47e8-b4e6-93e55d86ca9f",
        "customDetails": {
          "ErrorMessage": "error_s",
          "Time": "TimeGenerated"
        },
        "description": "'Rule helps to track error occurred in Netskope WebTransaction Data Connector.'\n",
        "displayName": "Netskope - WebTransaction Error Detection",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT5M",
            "matchingMethod": "AnyAlert",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml",
        "query": "NetskopeWebtxErrors_CL\n|where error_s has_any (\"Invalid Netskope Hostname\", \"Webtx Authentication\", \"Webtx Token Empty\", \"Webtx Exponential Backoff\", \"Webtx Idle Time\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}