SOCRadar High or Critical Severity Alarm

SOCRadar_Alarms_CL
| where Severity in ("High", "Critical")
| where Status == "OPEN"
| extend AlarmUrl = strcat("https://platform.socradar.com/company/", CompanyId, "/alarms/", AlarmId)
| extend AccountName = tostring(AlarmId)
| project TimeGenerated, AlarmId, Title, AlarmMainType, AlarmSubType, Severity, Status, AlarmUrl, AccountName

relevantTechniques:
- T1589
- T1078
entityMappings:
- entityType: Malware
  fieldMappings:
  - columnName: AlarmMainType
    identifier: Name
  - columnName: AlarmSubType
    identifier: Category
- entityType: URL
  fieldMappings:
  - columnName: AlarmUrl
    identifier: Url
version: 1.0.0
id: 8f3e2c5a-7b91-4d6a-9e8f-1c4a2b5d7e3f
severity: High
kind: Scheduled
queryFrequency: 15m
description: |
    'Detects SOCRadar alarms with High or Critical severity levels that require immediate attention. These alarms typically indicate active threats such as credential exposure, ransomware mentions, or targeted attacks against the organization.'
requiredDataConnectors: []
triggerOperator: gt
name: SOCRadar High or Critical Severity Alarm
tactics:
- Reconnaissance
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOCRadar/Analytic Rules/SOCRadarCriticalAlarmDetection.yaml
triggerThreshold: 0
queryPeriod: 15m
query: |
  SOCRadar_Alarms_CL
  | where Severity in ("High", "Critical")
  | where Status == "OPEN"
  | extend AlarmUrl = strcat("https://platform.socradar.com/company/", CompanyId, "/alarms/", AlarmId)
  | extend AccountName = tostring(AlarmId)
  | project TimeGenerated, AlarmId, Title, AlarmMainType, AlarmSubType, Severity, Status, AlarmUrl, AccountName  
status: Available