Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SOCRadar High or Critical Severity Alarm

SOCRadar High or Critical Severity Alarm

Back
Id8f3e2c5a-7b91-4d6a-9e8f-1c4a2b5d7e3f
RulenameSOCRadar High or Critical Severity Alarm
DescriptionDetects SOCRadar alarms with High or Critical severity levels that require immediate attention. These alarms typically indicate active threats such as credential exposure, ransomware mentions, or targeted attacks against the organization.
SeverityHigh
TacticsReconnaissance
InitialAccess
TechniquesT1589
T1078
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOCRadar/Analytic Rules/SOCRadarCriticalAlarmDetection.yaml
Version1.0.0
Arm template8f3e2c5a-7b91-4d6a-9e8f-1c4a2b5d7e3f.json
Deploy To Azure
SOCRadar_Alarms_CL
| where Severity in ("High", "Critical")
| where Status == "OPEN"
| extend AlarmUrl = strcat("https://platform.socradar.com/company/", CompanyId, "/alarms/", AlarmId)
| extend AccountName = tostring(AlarmId)
| project TimeGenerated, AlarmId, Title, AlarmMainType, AlarmSubType, Severity, Status, AlarmUrl, AccountName

status: Available
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
query: |
  SOCRadar_Alarms_CL
  | where Severity in ("High", "Critical")
  | where Status == "OPEN"
  | extend AlarmUrl = strcat("https://platform.socradar.com/company/", CompanyId, "/alarms/", AlarmId)
  | extend AccountName = tostring(AlarmId)
  | project TimeGenerated, AlarmId, Title, AlarmMainType, AlarmSubType, Severity, Status, AlarmUrl, AccountName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOCRadar/Analytic Rules/SOCRadarCriticalAlarmDetection.yaml
tactics:
- Reconnaissance
- InitialAccess
triggerThreshold: 0
entityMappings:
- entityType: Malware
  fieldMappings:
  - identifier: Name
    columnName: AlarmMainType
  - identifier: Category
    columnName: AlarmSubType
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: AlarmUrl
requiredDataConnectors: []
kind: Scheduled
relevantTechniques:
- T1589
- T1078
description: |
    'Detects SOCRadar alarms with High or Critical severity levels that require immediate attention. These alarms typically indicate active threats such as credential exposure, ransomware mentions, or targeted attacks against the organization.'
name: SOCRadar High or Critical Severity Alarm
version: 1.0.0
id: 8f3e2c5a-7b91-4d6a-9e8f-1c4a2b5d7e3f
severity: High