Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SecurityBridge: A critical event occured

Back
Id8c5c766a-ce9b-4112-b6ed-1b8fe33733b7
RulenameSecurityBridge: A critical event occured
DescriptionThis rule alerts if there is any critical event occured in the SAP system
SeverityMedium
TacticsInitialAccess
Required data connectorsSecurityBridge
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml
Version1.0.0
Arm template8c5c766a-ce9b-4112-b6ed-1b8fe33733b7.json
Deploy To Azure

SecurityBridgeLogs
| where Severity contains "Critical"
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml
description: |
    'This rule alerts if there is any critical event occured in the SAP system'
triggerOperator: gt
queryPeriod: 5m
requiredDataConnectors:
- dataTypes:
  - SecurityBridgeLogs_CL
  connectorId: SecurityBridge
queryFrequency: 5m
triggerThreshold: 0
tactics:
- InitialAccess
query: |2

  SecurityBridgeLogs
  | where Severity contains "Critical"
status: Available
kind: Scheduled
version: 1.0.0
id: 8c5c766a-ce9b-4112-b6ed-1b8fe33733b7
entityMappings:
- fieldMappings:
  - columnName: maincontact
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: dhost
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: Computer
    identifier: HostName
  entityType: Host
name: 'SecurityBridge: A critical event occured'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8c5c766a-ce9b-4112-b6ed-1b8fe33733b7')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8c5c766a-ce9b-4112-b6ed-1b8fe33733b7')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "SecurityBridge: A critical event occured",
        "description": "'This rule alerts if there is any critical event occured in the SAP system'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "\nSecurityBridgeLogs\n| where Severity contains \"Critical\"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "alertRuleTemplateName": "8c5c766a-ce9b-4112-b6ed-1b8fe33733b7",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "maincontact",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "dhost",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml"
      }
    }
  ]
}