SecurityBridgeLogs
| where Severity contains "Critical"
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: maincontact
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: dhost
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: dvchost
tactics:
- InitialAccess
requiredDataConnectors:
- datatypes:
- SecurityBridgeLogs_CL
connectorId: CustomLogsAma
id: 8c5c766a-ce9b-4112-b6ed-1b8fe33733b7
severity: Medium
status: Available
query: |
SecurityBridgeLogs
| where Severity contains "Critical"
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml
kind: Scheduled
queryPeriod: 5m
version: 1.0.4
name: 'SecurityBridge: A critical event occured'
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1189
description: |
'This rule alerts if there is any critical event occured in the SAP system'
triggerOperator: gt
