SecurityBridge: A critical event occured

Back


Id	8c5c766a-ce9b-4112-b6ed-1b8fe33733b7
Rulename	SecurityBridge: A critical event occured
Description	This rule alerts if there is any critical event occured in the SAP system
Severity	Medium
Tactics	InitialAccess
Required data connectors	SecurityBridge
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml
Version	1.0.0
Arm template	8c5c766a-ce9b-4112-b6ed-1b8fe33733b7.json

KQL


SecurityBridgeLogs
| where Severity contains "Critical"

YAML

severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml
description: |
    'This rule alerts if there is any critical event occured in the SAP system'
triggerOperator: gt
queryPeriod: 5m
requiredDataConnectors:
- dataTypes:
  - SecurityBridgeLogs_CL
  connectorId: SecurityBridge
queryFrequency: 5m
triggerThreshold: 0
tactics:
- InitialAccess
query: |2

  SecurityBridgeLogs
  | where Severity contains "Critical"
status: Available
kind: Scheduled
version: 1.0.0
id: 8c5c766a-ce9b-4112-b6ed-1b8fe33733b7
entityMappings:
- fieldMappings:
  - columnName: maincontact
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: dhost
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: Computer
    identifier: HostName
  entityType: Host
name: 'SecurityBridge: A critical event occured'

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8c5c766a-ce9b-4112-b6ed-1b8fe33733b7')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8c5c766a-ce9b-4112-b6ed-1b8fe33733b7')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "SecurityBridge: A critical event occured",
        "description": "'This rule alerts if there is any critical event occured in the SAP system'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "\nSecurityBridgeLogs\n| where Severity contains \"Critical\"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "alertRuleTemplateName": "8c5c766a-ce9b-4112-b6ed-1b8fe33733b7",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "maincontact",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "dhost",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml"
      }
    }
  ]
}