Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SecurityBridge A critical event occured

SecurityBridge A critical event occured

Back
Id8c5c766a-ce9b-4112-b6ed-1b8fe33733b7
RulenameSecurityBridge: A critical event occured
DescriptionThis rule alerts if there is any critical event occured in the SAP system
SeverityMedium
TacticsInitialAccess
TechniquesT1189
Required data connectorsCustomLogsAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml
Version1.0.4
Arm template8c5c766a-ce9b-4112-b6ed-1b8fe33733b7.json
Deploy To Azure
SecurityBridgeLogs
| where Severity contains "Critical"

triggerOperator: gt
queryFrequency: 5m
requiredDataConnectors:
- connectorId: CustomLogsAma
  datatypes:
  - SecurityBridgeLogs_CL
relevantTechniques:
- T1189
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: maincontact
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: dhost
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: dvchost
query: |
  SecurityBridgeLogs
  | where Severity contains "Critical"  
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml
queryPeriod: 5m
name: 'SecurityBridge: A critical event occured'
status: Available
kind: Scheduled
description: |
    'This rule alerts if there is any critical event occured in the SAP system'
id: 8c5c766a-ce9b-4112-b6ed-1b8fe33733b7
version: 1.0.4
tactics:
- InitialAccess
severity: Medium