Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SecurityBridge: A critical event occured

Back
Id8c5c766a-ce9b-4112-b6ed-1b8fe33733b7
RulenameSecurityBridge: A critical event occured
DescriptionThis rule alerts if there is any critical event occured in the SAP system
SeverityMedium
TacticsInitialAccess
Required data connectorsSecurityBridge
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml
Version1.0.0
Arm template8c5c766a-ce9b-4112-b6ed-1b8fe33733b7.json
Deploy To Azure

SecurityBridgeLogs
| where Severity contains "Critical"
name: 'SecurityBridge: A critical event occured'
query: |2

  SecurityBridgeLogs
  | where Severity contains "Critical"
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml
queryFrequency: 5m
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - SecurityBridgeLogs_CL
  connectorId: SecurityBridge
version: 1.0.0
status: Available
queryPeriod: 5m
id: 8c5c766a-ce9b-4112-b6ed-1b8fe33733b7
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: maincontact
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: dhost
  entityType: Host
- fieldMappings:
  - identifier: HostName
    columnName: Computer
  entityType: Host
severity: Medium
description: |
    'This rule alerts if there is any critical event occured in the SAP system'
kind: Scheduled
tactics:
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8c5c766a-ce9b-4112-b6ed-1b8fe33733b7')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8c5c766a-ce9b-4112-b6ed-1b8fe33733b7')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "SecurityBridge: A critical event occured",
        "description": "'This rule alerts if there is any critical event occured in the SAP system'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "\nSecurityBridgeLogs\n| where Severity contains \"Critical\"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "alertRuleTemplateName": "8c5c766a-ce9b-4112-b6ed-1b8fe33733b7",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "maincontact"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "dhost"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "Computer"
              }
            ],
            "entityType": "Host"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml"
      }
    }
  ]
}