Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Field Effect MDR Alert ARO Alert

Field Effect MDR Alert ARO Alert

Back
Id6d2d6b3f-7d7b-4d4a-9b2b-9f7f3b8c2a11
RulenameField Effect MDR Alert: ARO Alert
DescriptionCreates an incident for each Field Effect MDR ARO alert ingested into the workspace.
SeverityMedium
TacticsExecution
DefenseEvasion
TechniquesT1059
T1562
Required data connectorsFieldEffectCCF
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FieldEffectMDR/Analytic Rules/AROAlert.yaml
Version1.0.0
Arm template6d2d6b3f-7d7b-4d4a-9b2b-9f7f3b8c2a11.json
Deploy To Azure
FieldEffectAROAlerts_CL
| where TimeGenerated >= ago(5m)
| project
    TimeGenerated,
    ARO = ID,
    TITLE = Title,
    DETAILS = DetailsMarkdown,
    URL = PortalUrl,
    SEVERITY = Severity,
    Hostname,
    IPAddress,
    LastUser,
    PRODUCT_NAME = "Field Effect MDR"

entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: LastUser
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: Hostname
tactics:
- Execution
- DefenseEvasion
suppressionEnabled: false
suppressionDuration: 1h
requiredDataConnectors:
- dataTypes:
  - FieldEffectAROAlerts_CL
  connectorId: FieldEffectCCF
alertDetailsOverride:
  alertDisplayNameFormat: 'Field Effect MDR Alert: ARO-{{ARO}}: {{TITLE}}'
  alertDescriptionFormat: |
    {{DETAILS}}

    For full information, visit: {{URL}}    
  alertSeverityColumnName: SEVERITY
  alertDynamicProperties:
  - value: PRODUCT_NAME
    alertProperty: ProductName
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    lookbackDuration: 5h
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: 6d2d6b3f-7d7b-4d4a-9b2b-9f7f3b8c2a11
severity: Medium
eventGroupingSettings:
  aggregationKind: SingleAlert
status: Available
query: |
  FieldEffectAROAlerts_CL
  | where TimeGenerated >= ago(5m)
  | project
      TimeGenerated,
      ARO = ID,
      TITLE = Title,
      DETAILS = DetailsMarkdown,
      URL = PortalUrl,
      SEVERITY = Severity,
      Hostname,
      IPAddress,
      LastUser,
      PRODUCT_NAME = "Field Effect MDR"  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FieldEffectMDR/Analytic Rules/AROAlert.yaml
kind: Scheduled
queryPeriod: 5m
version: 1.0.0
name: 'Field Effect MDR Alert: ARO Alert'
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1059
- T1562
description: Creates an incident for each Field Effect MDR ARO alert ingested into the workspace.
triggerOperator: gt