Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Awake Security - High Match Counts By Device

Back
Id90b7ac11-dd6c-4ba1-a99b-737061873859
RulenameAwake Security - High Match Counts By Device
DescriptionThis query searches for devices with unexpectedly large number of activity match.
SeverityMedium
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/HighMatchCountsByDevice.yaml
Version1.0.2
Arm template90b7ac11-dd6c-4ba1-a99b-737061873859.json
Deploy To Azure
CommonSecurityLog
| where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
  DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
| where ModelMatchCount > 1000 and MaxSeverity > 2
| extend SeverityName=iff(MaxSeverity == 0, "Informational", iff(MaxSeverity < 5, "Low", iff(MaxSeverity < 8, "Medium", "High")))
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    groupByEntities:
    - Host
    matchingMethod: Selected
    lookbackDuration: 3d
    groupByAlertDetails: []
    groupByCustomDetails:
    - Device
    reopenClosedIncident: true
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
query: |
  CommonSecurityLog
  | where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
  | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
    DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
  | where ModelMatchCount > 1000 and MaxSeverity > 2
  | extend SeverityName=iff(MaxSeverity == 0, "Informational", iff(MaxSeverity < 5, "Low", iff(MaxSeverity < 8, "Medium", "High")))  
description: This query searches for devices with unexpectedly large number of activity match.
kind: Scheduled
name: Awake Security - High Match Counts By Device
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/HighMatchCountsByDevice.yaml
relevantTechniques: []
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: SourceHostName
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: SourceIPs
  entityType: IP
queryFrequency: 1h
version: 1.0.2
tactics: []
id: 90b7ac11-dd6c-4ba1-a99b-737061873859
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
alertDetailsOverride:
  alertDescriptionFormat: |-
    The following Awake model(s):

    {{Models}}

    matched {{ModelMatchCount}} activities, an unexpectedly large number. The destination IPs associated with these matches were:

    {{DestinationIPs}}    
  alertTacticsColumnName: 
  alertDisplayNameFormat: Awake Security - High Model Match Counts On Device {{SourceHostName}}
  alertSeverityColumnName: SeverityName
status: Available
queryPeriod: 1h
triggerOperator: gt
customDetails:
  Matches_Max_Severity: MaxSeverity
  Matches_Count: ModelMatchCount
  Matched_Models: Models
  Matches_ASP_URLs: ASPMatchURLs
  Matches_Dest_IPs: DestinationIPs
  Device: SourceHostName
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/90b7ac11-dd6c-4ba1-a99b-737061873859')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/90b7ac11-dd6c-4ba1-a99b-737061873859')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "The following Awake model(s):\n\n{{Models}}\n\nmatched {{ModelMatchCount}} activities, an unexpectedly large number. The destination IPs associated with these matches were:\n\n{{DestinationIPs}}",
          "alertDisplayNameFormat": "Awake Security - High Model Match Counts On Device {{SourceHostName}}",
          "alertSeverityColumnName": "SeverityName",
          "alertTacticsColumnName": null
        },
        "alertRuleTemplateName": "90b7ac11-dd6c-4ba1-a99b-737061873859",
        "customDetails": {
          "Device": "SourceHostName",
          "Matched_Models": "Models",
          "Matches_ASP_URLs": "ASPMatchURLs",
          "Matches_Count": "ModelMatchCount",
          "Matches_Dest_IPs": "DestinationIPs",
          "Matches_Max_Severity": "MaxSeverity"
        },
        "description": "This query searches for devices with unexpectedly large number of activity match.",
        "displayName": "Awake Security - High Match Counts By Device",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIPs",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [
              "Device"
            ],
            "groupByEntities": [
              "Host"
            ],
            "lookbackDuration": "P3D",
            "matchingMethod": "Selected",
            "reopenClosedIncident": true
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/HighMatchCountsByDevice.yaml",
        "query": "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),\n  DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName\n| where ModelMatchCount > 1000 and MaxSeverity > 2\n| extend SeverityName=iff(MaxSeverity == 0, \"Informational\", iff(MaxSeverity < 5, \"Low\", iff(MaxSeverity < 8, \"Medium\", \"High\")))\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}