Netskope - WebTransaction Error Detection

Back


Id	66c4cd4c-d391-47e8-b4e6-93e55d86ca9f
Rulename	Netskope - WebTransaction Error Detection
Description	Rule helps to track error occurred in Netskope WebTransaction Data Connector.
Severity	Medium
Tactics	Execution
Techniques	T1204
Required data connectors	NetskopeDataConnector
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml
Version	1.0.0
Arm template	66c4cd4c-d391-47e8-b4e6-93e55d86ca9f.json

KQL

NetskopeWebtxErrors_CL
|where error_s has_any ("Invalid Netskope Hostname", "Webtx Authentication", "Webtx Token Empty", "Webtx Exponential Backoff", "Webtx Idle Time")

YAML

incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 5m
    enabled: true
    reopenClosedIncident: false
    matchingMethod: AnyAlert
  createIncident: true
id: 66c4cd4c-d391-47e8-b4e6-93e55d86ca9f
query: |
  NetskopeWebtxErrors_CL
  |where error_s has_any ("Invalid Netskope Hostname", "Webtx Authentication", "Webtx Token Empty", "Webtx Exponential Backoff", "Webtx Idle Time")  
description: |
    'Rule helps to track error occurred in Netskope WebTransaction Data Connector.'
requiredDataConnectors:
- connectorId: NetskopeDataConnector
  dataTypes:
  - NetskopeWebtxErrors_CL
alertDetailsOverride:
  alertDisplayNameFormat: Netskope Error at {{TimeGenerated}}
  alertDescriptionFormat: 'Error Message: {{error_s}}'
tactics:
- Execution
status: Available
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: GreaterThan
kind: Scheduled
name: Netskope - WebTransaction Error Detection
customDetails:
  ErrorMessage: error_s
  Time: TimeGenerated
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml
version: 1.0.0
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1204
severity: Medium
triggerThreshold: 0

ARM