Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SOCRadar High or Critical Severity Alarm

SOCRadar High or Critical Severity Alarm

Back
Id8f3e2c5a-7b91-4d6a-9e8f-1c4a2b5d7e3f
RulenameSOCRadar High or Critical Severity Alarm
DescriptionDetects SOCRadar alarms with High or Critical severity levels that require immediate attention. These alarms typically indicate active threats such as credential exposure, ransomware mentions, or targeted attacks against the organization.
SeverityHigh
TacticsReconnaissance
InitialAccess
TechniquesT1589
T1078
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOCRadar/Analytic Rules/SOCRadarCriticalAlarmDetection.yaml
Version1.0.0
Arm template8f3e2c5a-7b91-4d6a-9e8f-1c4a2b5d7e3f.json
Deploy To Azure
SOCRadar_Alarms_CL
| where Severity in ("High", "Critical")
| where Status == "OPEN"
| extend AlarmUrl = strcat("https://platform.socradar.com/company/", CompanyId, "/alarms/", AlarmId)
| extend AccountName = tostring(AlarmId)
| project TimeGenerated, AlarmId, Title, AlarmMainType, AlarmSubType, Severity, Status, AlarmUrl, AccountName

entityMappings:
- entityType: Malware
  fieldMappings:
  - identifier: Name
    columnName: AlarmMainType
  - identifier: Category
    columnName: AlarmSubType
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: AlarmUrl
tactics:
- Reconnaissance
- InitialAccess
requiredDataConnectors: []
id: 8f3e2c5a-7b91-4d6a-9e8f-1c4a2b5d7e3f
severity: High
status: Available
query: |
  SOCRadar_Alarms_CL
  | where Severity in ("High", "Critical")
  | where Status == "OPEN"
  | extend AlarmUrl = strcat("https://platform.socradar.com/company/", CompanyId, "/alarms/", AlarmId)
  | extend AccountName = tostring(AlarmId)
  | project TimeGenerated, AlarmId, Title, AlarmMainType, AlarmSubType, Severity, Status, AlarmUrl, AccountName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOCRadar/Analytic Rules/SOCRadarCriticalAlarmDetection.yaml
kind: Scheduled
queryPeriod: 15m
version: 1.0.0
name: SOCRadar High or Critical Severity Alarm
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1589
- T1078
description: |
    'Detects SOCRadar alarms with High or Critical severity levels that require immediate attention. These alarms typically indicate active threats such as credential exposure, ransomware mentions, or targeted attacks against the organization.'
triggerOperator: gt