Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Lookout - New Threat events found

Back
Id7593cc60-e294-402d-9202-279fb3c7d55f
RulenameLookout - New Threat events found.
DescriptionCreated to detect new Threat events from the data which is recently synced by Lookout Solution.
SeverityHigh
TacticsDiscovery
TechniquesT1057
Required data connectorsLookoutAPI
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutThreatEvent.yaml
Version1.0.0
Arm template7593cc60-e294-402d-9202-279fb3c7d55f.json
Deploy To Azure
Lookout_CL
| where details_action_s == 'DETECTED' and type_s == 'THREAT'
| extend DetailsPackageName = details_packageName_s
| extend TargetPlatform = target_platform_s
| extend TargetOsVersion = target_osVersion_s
| extend Type = type_s
| extend Severity = details_severity_s
| extend Classifications = details_classifications_s
| extend Platform = target_platform_s
description: |
    'Created to detect new Threat events from the data which is recently synced by Lookout Solution.'
version: 1.0.0
tactics:
- Discovery
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DetailsPackageName
    identifier: FullName
  - columnName: TargetPlatform
    identifier: OSFamily
  - columnName: TargetOsVersion
    identifier: OSVersion
queryFrequency: 1h
customDetails:
  Classification: Classifications
  Platform: Platform
  Type: Type
  Severity: Severity
triggerThreshold: 0
query: |
  Lookout_CL
  | where details_action_s == 'DETECTED' and type_s == 'THREAT'
  | extend DetailsPackageName = details_packageName_s
  | extend TargetPlatform = target_platform_s
  | extend TargetOsVersion = target_osVersion_s
  | extend Type = type_s
  | extend Severity = details_severity_s
  | extend Classifications = details_classifications_s
  | extend Platform = target_platform_s  
triggerOperator: gt
status: Available
relevantTechniques:
- T1057
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutThreatEvent.yaml
queryPeriod: 1h
id: 7593cc60-e294-402d-9202-279fb3c7d55f
name: Lookout - New Threat events found.
kind: Scheduled
requiredDataConnectors:
- connectorId: LookoutAPI
  dataTypes:
  - Lookout_CL
severity: High
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7593cc60-e294-402d-9202-279fb3c7d55f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7593cc60-e294-402d-9202-279fb3c7d55f')]",
      "properties": {
        "alertRuleTemplateName": "7593cc60-e294-402d-9202-279fb3c7d55f",
        "customDetails": {
          "Classification": "Classifications",
          "Platform": "Platform",
          "Severity": "Severity",
          "Type": "Type"
        },
        "description": "'Created to detect new Threat events from the data which is recently synced by Lookout Solution.'\n",
        "displayName": "Lookout - New Threat events found.",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DetailsPackageName",
                "identifier": "FullName"
              },
              {
                "columnName": "TargetPlatform",
                "identifier": "OSFamily"
              },
              {
                "columnName": "TargetOsVersion",
                "identifier": "OSVersion"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutThreatEvent.yaml",
        "query": "Lookout_CL\n| where details_action_s == 'DETECTED' and type_s == 'THREAT'\n| extend DetailsPackageName = details_packageName_s\n| extend TargetPlatform = target_platform_s\n| extend TargetOsVersion = target_osVersion_s\n| extend Type = type_s\n| extend Severity = details_severity_s\n| extend Classifications = details_classifications_s\n| extend Platform = target_platform_s\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1057"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}