Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Radiflow - Exploit Detected

Radiflow - Exploit Detected

Back
Id6c028ebd-03ca-41cb-bce7-5727ddb43731
RulenameRadiflow - Exploit Detected
DescriptionGenerates an incident when the use of an exploit is detected by Radiflow’s iSID.
SeverityHigh
TacticsInitialAccess
PrivilegeEscalation
LateralMovement
TechniquesT0819
T0866
T0890
Required data connectorsRadiflowIsid
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowExploitDetected.yaml
Version1.0.0
Arm template6c028ebd-03ca-41cb-bce7-5727ddb43731.json
Deploy To Azure
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where
    (
        EventClassID in (34, 53, 67, 68, 69, 70, 71, 179)
        or EventMessage has 'Exploit'
    )

relevantTechniques:
- T0819
- T0866
- T0890
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1h
    groupByCustomDetails: []
    groupByAlertDetails: []
    enabled: true
    reopenClosedIncident: false
    matchingMethod: AllEntities
    groupByEntities: []
name: Radiflow - Exploit Detected
requiredDataConnectors:
- dataTypes:
  - RadiflowEvent
  connectorId: RadiflowIsid
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: SourceHostName
  - identifier: NetBiosName
    columnName: SourceHostName
  entityType: Host
- fieldMappings:
  - identifier: HostName
    columnName: DestinationHostName
  - identifier: NetBiosName
    columnName: DestinationHostName
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: DestinationIP
  entityType: IP
triggerThreshold: 0
id: 6c028ebd-03ca-41cb-bce7-5727ddb43731
tactics:
- InitialAccess
- PrivilegeEscalation
- LateralMovement
version: 1.0.0
customDetails:
  DestinationType: DestinationType
  DestinationHostName: DestinationHostName
  DestinationMAC: DestinationMACAddress
  DestinationIP: DestinationIP
  SourceType: SourceType
  SourceMAC: SourceMACAddress
  DestinationVendor: DestinationVendor
  SourceVLAN: SourceVLAN
  Port: Port
  SourceHostName: SourceHostName
  SourceVendor: SourceVendor
  SourceIP: SourceIP
  Protocol: Protocol
alertDetailsOverride:
  alertDynamicProperties: []
  alertDisplayNameFormat: 'Exploit Detected: {{EventMessage}}'
  alertSeverityColumnName: EventSeverity
  alertDescriptionFormat: "A possible exploit attempt has been detected. Check the details of this incident for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} "
queryPeriod: 1h
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowExploitDetected.yaml
suppressionDuration: 5h
queryFrequency: 1h
severity: High
status: Available
suppressionEnabled: false
description: |
    'Generates an incident when the use of an exploit is detected by Radiflow's iSID.'
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where
      (
          EventClassID in (34, 53, 67, 68, 69, 70, 71, 179)
          or EventMessage has 'Exploit'
      )  
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6c028ebd-03ca-41cb-bce7-5727ddb43731')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6c028ebd-03ca-41cb-bce7-5727ddb43731')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A possible exploit attempt has been detected. Check the details of this incident for further information.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} ",
          "alertDisplayNameFormat": "Exploit Detected: {{EventMessage}}",
          "alertDynamicProperties": [],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "6c028ebd-03ca-41cb-bce7-5727ddb43731",
        "customDetails": {
          "DestinationHostName": "DestinationHostName",
          "DestinationIP": "DestinationIP",
          "DestinationMAC": "DestinationMACAddress",
          "DestinationType": "DestinationType",
          "DestinationVendor": "DestinationVendor",
          "Port": "Port",
          "Protocol": "Protocol",
          "SourceHostName": "SourceHostName",
          "SourceIP": "SourceIP",
          "SourceMAC": "SourceMACAddress",
          "SourceType": "SourceType",
          "SourceVendor": "SourceVendor",
          "SourceVLAN": "SourceVLAN"
        },
        "description": "'Generates an incident when the use of an exploit is detected by Radiflow's iSID.'\n",
        "displayName": "Radiflow - Exploit Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "SourceHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DestinationHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowExploitDetected.yaml",
        "query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where\n    (\n        EventClassID in (34, 53, 67, 68, 69, 70, 71, 179)\n        or EventMessage has 'Exploit'\n    )\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "LateralMovement",
          "PrivilegeEscalation"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}