Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Netskope - WebTransaction Error Detection

Back
Id66c4cd4c-d391-47e8-b4e6-93e55d86ca9f
RulenameNetskope - WebTransaction Error Detection
DescriptionRule helps to track error occurred in Netskope WebTransaction Data Connector.
SeverityMedium
TacticsExecution
TechniquesT1204
Required data connectorsNetskopeDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml
Version1.0.0
Arm template66c4cd4c-d391-47e8-b4e6-93e55d86ca9f.json
Deploy To Azure
NetskopeWebtxErrors_CL
|where error_s has_any ("Invalid Netskope Hostname", "Webtx Authentication", "Webtx Token Empty", "Webtx Exponential Backoff", "Webtx Idle Time")
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml
query: |
  NetskopeWebtxErrors_CL
  |where error_s has_any ("Invalid Netskope Hostname", "Webtx Authentication", "Webtx Token Empty", "Webtx Exponential Backoff", "Webtx Idle Time")  
description: |
    'Rule helps to track error occurred in Netskope WebTransaction Data Connector.'
severity: Medium
requiredDataConnectors:
- dataTypes:
  - NetskopeWebtxErrors_CL
  connectorId: NetskopeDataConnector
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 5m
    reopenClosedIncident: false
    enabled: true
    matchingMethod: AnyAlert
  createIncident: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Netskope - WebTransaction Error Detection
triggerThreshold: 0
version: 1.0.0
customDetails:
  ErrorMessage: error_s
  Time: TimeGenerated
tactics:
- Execution
alertDetailsOverride:
  alertDescriptionFormat: 'Error Message: {{error_s}}'
  alertDisplayNameFormat: Netskope Error at {{TimeGenerated}}
relevantTechniques:
- T1204
triggerOperator: GreaterThan
kind: Scheduled
id: 66c4cd4c-d391-47e8-b4e6-93e55d86ca9f
status: Available
queryFrequency: 5m
queryPeriod: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/66c4cd4c-d391-47e8-b4e6-93e55d86ca9f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/66c4cd4c-d391-47e8-b4e6-93e55d86ca9f')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Error Message: {{error_s}}",
          "alertDisplayNameFormat": "Netskope Error at {{TimeGenerated}}"
        },
        "alertRuleTemplateName": "66c4cd4c-d391-47e8-b4e6-93e55d86ca9f",
        "customDetails": {
          "ErrorMessage": "error_s",
          "Time": "TimeGenerated"
        },
        "description": "'Rule helps to track error occurred in Netskope WebTransaction Data Connector.'\n",
        "displayName": "Netskope - WebTransaction Error Detection",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT5M",
            "matchingMethod": "AnyAlert",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml",
        "query": "NetskopeWebtxErrors_CL\n|where error_s has_any (\"Invalid Netskope Hostname\", \"Webtx Authentication\", \"Webtx Token Empty\", \"Webtx Exponential Backoff\", \"Webtx Idle Time\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}