Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Radiflow - Exploit Detected

Back
Id6c028ebd-03ca-41cb-bce7-5727ddb43731
RulenameRadiflow - Exploit Detected
DescriptionGenerates an incident when the use of an exploit is detected by Radiflow’s iSID.
SeverityHigh
TacticsInitialAccess
PrivilegeEscalation
LateralMovement
TechniquesT0819
T0866
T0890
Required data connectorsRadiflowIsid
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowExploitDetected.yaml
Version1.0.0
Arm template6c028ebd-03ca-41cb-bce7-5727ddb43731.json
Deploy To Azure
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where
    (
        EventClassID in (34, 53, 67, 68, 69, 70, 71, 179)
        or EventMessage has 'Exploit'
    )
status: Available
triggerOperator: gt
triggerThreshold: 0
name: Radiflow - Exploit Detected
alertDetailsOverride:
  alertSeverityColumnName: EventSeverity
  alertDescriptionFormat: "A possible exploit attempt has been detected. Check the details of this incident for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} "
  alertDynamicProperties: []
  alertDisplayNameFormat: 'Exploit Detected: {{EventMessage}}'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowExploitDetected.yaml
queryPeriod: 1h
severity: High
suppressionDuration: 5h
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
  - columnName: SourceHostName
    identifier: NetBiosName
- entityType: Host
  fieldMappings:
  - columnName: DestinationHostName
    identifier: HostName
  - columnName: DestinationHostName
    identifier: NetBiosName
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: DestinationIP
    identifier: Address
suppressionEnabled: false
queryFrequency: 1h
relevantTechniques:
- T0819
- T0866
- T0890
requiredDataConnectors:
- dataTypes:
  - RadiflowEvent
  connectorId: RadiflowIsid
kind: Scheduled
customDetails:
  DestinationType: DestinationType
  Protocol: Protocol
  SourceType: SourceType
  SourceVLAN: SourceVLAN
  DestinationIP: DestinationIP
  SourceIP: SourceIP
  SourceHostName: SourceHostName
  DestinationVendor: DestinationVendor
  DestinationHostName: DestinationHostName
  SourceVendor: SourceVendor
  Port: Port
  DestinationMAC: DestinationMACAddress
  SourceMAC: SourceMACAddress
incidentConfiguration:
  groupingConfiguration:
    groupByCustomDetails: []
    groupByAlertDetails: []
    groupByEntities: []
    enabled: true
    lookbackDuration: 1h
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
description: |
    'Generates an incident when the use of an exploit is detected by Radiflow's iSID.'
tactics:
- InitialAccess
- PrivilegeEscalation
- LateralMovement
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where
      (
          EventClassID in (34, 53, 67, 68, 69, 70, 71, 179)
          or EventMessage has 'Exploit'
      )  
id: 6c028ebd-03ca-41cb-bce7-5727ddb43731
version: 1.0.0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6c028ebd-03ca-41cb-bce7-5727ddb43731')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6c028ebd-03ca-41cb-bce7-5727ddb43731')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A possible exploit attempt has been detected. Check the details of this incident for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} ",
          "alertDisplayNameFormat": "Exploit Detected: {{EventMessage}}",
          "alertDynamicProperties": [],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "6c028ebd-03ca-41cb-bce7-5727ddb43731",
        "customDetails": {
          "DestinationHostName": "DestinationHostName",
          "DestinationIP": "DestinationIP",
          "DestinationMAC": "DestinationMACAddress",
          "DestinationType": "DestinationType",
          "DestinationVendor": "DestinationVendor",
          "Port": "Port",
          "Protocol": "Protocol",
          "SourceHostName": "SourceHostName",
          "SourceIP": "SourceIP",
          "SourceMAC": "SourceMACAddress",
          "SourceType": "SourceType",
          "SourceVendor": "SourceVendor",
          "SourceVLAN": "SourceVLAN"
        },
        "description": "'Generates an incident when the use of an exploit is detected by Radiflow's iSID.'\n",
        "displayName": "Radiflow - Exploit Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "SourceHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DestinationHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowExploitDetected.yaml",
        "query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where\n    (\n        EventClassID in (34, 53, 67, 68, 69, 70, 71, 179)\n        or EventMessage has 'Exploit'\n    )\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "LateralMovement",
          "PrivilegeEscalation"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}