Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SecurityBridge A critical event occured

Back
Id8c5c766a-ce9b-4112-b6ed-1b8fe33733b7
RulenameSecurityBridge: A critical event occured
DescriptionThis rule alerts if there is any critical event occured in the SAP system
SeverityMedium
TacticsInitialAccess
Required data connectorsSecurityBridge
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml
Version1.0.0
Arm template8c5c766a-ce9b-4112-b6ed-1b8fe33733b7.json
Deploy To Azure

SecurityBridgeLogs
| where Severity contains "Critical"
triggerOperator: gt
tactics:
- InitialAccess
queryPeriod: 5m
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml
queryFrequency: 5m
description: |
    'This rule alerts if there is any critical event occured in the SAP system'
requiredDataConnectors:
- dataTypes:
  - SecurityBridgeLogs_CL
  connectorId: SecurityBridge
version: 1.0.0
triggerThreshold: 0
severity: Medium
id: 8c5c766a-ce9b-4112-b6ed-1b8fe33733b7
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: maincontact
    identifier: Name
- entityType: Host
  fieldMappings:
  - columnName: dhost
    identifier: HostName
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: HostName
status: Available
name: 'SecurityBridge: A critical event occured'
query: |2

  SecurityBridgeLogs
  | where Severity contains "Critical"
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8c5c766a-ce9b-4112-b6ed-1b8fe33733b7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8c5c766a-ce9b-4112-b6ed-1b8fe33733b7')]",
      "properties": {
        "alertRuleTemplateName": "8c5c766a-ce9b-4112-b6ed-1b8fe33733b7",
        "customDetails": null,
        "description": "'This rule alerts if there is any critical event occured in the SAP system'\n",
        "displayName": "SecurityBridge: A critical event occured",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "maincontact",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "dhost",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge App/Analytical Rules/CriticalEventTriggered.yaml",
        "query": "\nSecurityBridgeLogs\n| where Severity contains \"Critical\"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}