Awake Security - High Match Counts By Device

CommonSecurityLog
| where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
  DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
| where ModelMatchCount > 1000 and MaxSeverity > 2
| extend SeverityName=iff(MaxSeverity == 0, "Informational", iff(MaxSeverity < 5, "Low", iff(MaxSeverity < 8, "Medium", "High")))

description: This query searches for devices with unexpectedly large number of activity match.
tactics: []
severity: Medium
entityMappings:
- fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: SourceIPs
    identifier: Address
  entityType: IP
queryFrequency: 1h
triggerOperator: gt
status: Available
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  CommonSecurityLog
  | where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
  | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
    DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
  | where ModelMatchCount > 1000 and MaxSeverity > 2
  | extend SeverityName=iff(MaxSeverity == 0, "Informational", iff(MaxSeverity < 5, "Low", iff(MaxSeverity < 8, "Medium", "High")))  
customDetails:
  Matches_ASP_URLs: ASPMatchURLs
  Matched_Models: Models
  Matches_Count: ModelMatchCount
  Matches_Dest_IPs: DestinationIPs
  Matches_Max_Severity: MaxSeverity
  Device: SourceHostName
name: Awake Security - High Match Counts By Device
alertDetailsOverride:
  alertDescriptionFormat: |-
    The following Awake model(s):

    {{Models}}

    matched {{ModelMatchCount}} activities, an unexpectedly large number. The destination IPs associated with these matches were:

    {{DestinationIPs}}    
  alertSeverityColumnName: SeverityName
  alertTacticsColumnName: 
  alertDisplayNameFormat: Awake Security - High Model Match Counts On Device {{SourceHostName}}
incidentConfiguration:
  groupingConfiguration:
    groupByCustomDetails:
    - Device
    enabled: true
    reopenClosedIncident: true
    lookbackDuration: 3d
    matchingMethod: Selected
    groupByAlertDetails: []
    groupByEntities:
    - Host
  createIncident: true
version: 1.0.2
triggerThreshold: 0
id: 90b7ac11-dd6c-4ba1-a99b-737061873859
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/HighMatchCountsByDevice.yaml
relevantTechniques: []
queryPeriod: 1h
kind: Scheduled
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma