SecurityBridgeLogs
| where Severity contains "Critical"
id: 8c5c766a-ce9b-4112-b6ed-1b8fe33733b7
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml
entityMappings:
- fieldMappings:
- identifier: Name
columnName: maincontact
entityType: Account
- fieldMappings:
- identifier: HostName
columnName: dhost
entityType: Host
- fieldMappings:
- identifier: HostName
columnName: dvchost
entityType: Host
requiredDataConnectors:
- datatypes:
- SecurityBridgeLogs_CL
connectorId: CustomLogsAma
queryFrequency: 5m
queryPeriod: 5m
status: Available
query: |
SecurityBridgeLogs
| where Severity contains "Critical"
name: 'SecurityBridge: A critical event occured'
kind: Scheduled
tactics:
- InitialAccess
severity: Medium
relevantTechniques:
- T1189
triggerThreshold: 0
version: 1.0.4
description: |
'This rule alerts if there is any critical event occured in the SAP system'
