SecurityBridge A critical event occured

Back


Id	8c5c766a-ce9b-4112-b6ed-1b8fe33733b7
Rulename	SecurityBridge: A critical event occured
Description	This rule alerts if there is any critical event occured in the SAP system
Severity	Medium
Tactics	InitialAccess
Techniques	T1189
Required data connectors	CustomLogsAma
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml
Version	1.0.4
Arm template	8c5c766a-ce9b-4112-b6ed-1b8fe33733b7.json

KQL

SecurityBridgeLogs
| where Severity contains "Critical"

YAML

status: Available
id: 8c5c766a-ce9b-4112-b6ed-1b8fe33733b7
query: |
  SecurityBridgeLogs
  | where Severity contains "Critical"  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml
description: |
    'This rule alerts if there is any critical event occured in the SAP system'
name: 'SecurityBridge: A critical event occured'
relevantTechniques:
- T1189
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: maincontact
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: dhost
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: dvchost
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- datatypes:
  - SecurityBridgeLogs_CL
  connectorId: CustomLogsAma
queryFrequency: 5m
queryPeriod: 5m
version: 1.0.4
kind: Scheduled
tactics:
- InitialAccess
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8c5c766a-ce9b-4112-b6ed-1b8fe33733b7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8c5c766a-ce9b-4112-b6ed-1b8fe33733b7')]",
      "properties": {
        "alertRuleTemplateName": "8c5c766a-ce9b-4112-b6ed-1b8fe33733b7",
        "customDetails": null,
        "description": "'This rule alerts if there is any critical event occured in the SAP system'\n",
        "displayName": "SecurityBridge: A critical event occured",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "maincontact",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "dhost",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "dvchost",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml",
        "query": "SecurityBridgeLogs\n| where Severity contains \"Critical\"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1189"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}