Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SOCRadar High or Critical Severity Alarm

SOCRadar High or Critical Severity Alarm

Back
Id8f3e2c5a-7b91-4d6a-9e8f-1c4a2b5d7e3f
RulenameSOCRadar High or Critical Severity Alarm
DescriptionDetects SOCRadar alarms with High or Critical severity levels that require immediate attention. These alarms typically indicate active threats such as credential exposure, ransomware mentions, or targeted attacks against the organization.
SeverityHigh
TacticsReconnaissance
InitialAccess
TechniquesT1589
T1078
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOCRadar/Analytic Rules/SOCRadarCriticalAlarmDetection.yaml
Version1.0.0
Arm template8f3e2c5a-7b91-4d6a-9e8f-1c4a2b5d7e3f.json
Deploy To Azure
SOCRadar_Alarms_CL
| where Severity in ("High", "Critical")
| where Status == "OPEN"
| extend AlarmUrl = strcat("https://platform.socradar.com/company/", CompanyId, "/alarms/", AlarmId)
| extend AccountName = tostring(AlarmId)
| project TimeGenerated, AlarmId, Title, AlarmMainType, AlarmSubType, Severity, Status, AlarmUrl, AccountName

id: 8f3e2c5a-7b91-4d6a-9e8f-1c4a2b5d7e3f
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOCRadar/Analytic Rules/SOCRadarCriticalAlarmDetection.yaml
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AlarmMainType
  - identifier: Category
    columnName: AlarmSubType
  entityType: Malware
- fieldMappings:
  - identifier: Url
    columnName: AlarmUrl
  entityType: URL
requiredDataConnectors: []
queryFrequency: 15m
queryPeriod: 15m
status: Available
query: |
  SOCRadar_Alarms_CL
  | where Severity in ("High", "Critical")
  | where Status == "OPEN"
  | extend AlarmUrl = strcat("https://platform.socradar.com/company/", CompanyId, "/alarms/", AlarmId)
  | extend AccountName = tostring(AlarmId)
  | project TimeGenerated, AlarmId, Title, AlarmMainType, AlarmSubType, Severity, Status, AlarmUrl, AccountName  
name: SOCRadar High or Critical Severity Alarm
kind: Scheduled
tactics:
- Reconnaissance
- InitialAccess
severity: High
relevantTechniques:
- T1589
- T1078
triggerThreshold: 0
version: 1.0.0
description: |
    'Detects SOCRadar alarms with High or Critical severity levels that require immediate attention. These alarms typically indicate active threats such as credential exposure, ransomware mentions, or targeted attacks against the organization.'