Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Awake Security - High Match Counts By Device

Awake Security - High Match Counts By Device

Back
Id90b7ac11-dd6c-4ba1-a99b-737061873859
RulenameAwake Security - High Match Counts By Device
DescriptionThis query searches for devices with unexpectedly large number of activity match.
SeverityMedium
Required data connectorsAristaAwakeSecurity
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/HighMatchCountsByDevice.yaml
Version1.0.0
Arm template90b7ac11-dd6c-4ba1-a99b-737061873859.json
Deploy To Azure
CommonSecurityLog
| where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
  DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
| where ModelMatchCount > 1000 and MaxSeverity > 2
| extend SeverityName=iff(MaxSeverity == 0, "Informational", iff(MaxSeverity < 5, "Low", iff(MaxSeverity < 8, "Medium", "High")))

queryFrequency: 1h
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
- entityType: IP
  fieldMappings:
  - columnName: SourceIPs
    identifier: Address
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/HighMatchCountsByDevice.yaml
relevantTechniques: []
query: |
  CommonSecurityLog
  | where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
  | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
    DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
  | where ModelMatchCount > 1000 and MaxSeverity > 2
  | extend SeverityName=iff(MaxSeverity == 0, "Informational", iff(MaxSeverity < 5, "Low", iff(MaxSeverity < 8, "Medium", "High")))  
id: 90b7ac11-dd6c-4ba1-a99b-737061873859
triggerOperator: gt
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByAlertDetails: []
    groupByEntities:
    - Host
    reopenClosedIncident: true
    enabled: true
    lookbackDuration: 3d
    matchingMethod: Selected
    groupByCustomDetails:
    - Device
requiredDataConnectors:
- connectorId: AristaAwakeSecurity
  dataTypes:
  - CommonSecurityLog (AwakeSecurity)
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  Matches_ASP_URLs: ASPMatchURLs
  Device: SourceHostName
  Matches_Max_Severity: MaxSeverity
  Matched_Models: Models
  Matches_Dest_IPs: DestinationIPs
  Matches_Count: ModelMatchCount
description: This query searches for devices with unexpectedly large number of activity match.
queryPeriod: 1h
alertDetailsOverride:
  alertSeverityColumnName: SeverityName
  alertDescriptionFormat: |-
    The following Awake model(s):

    {{Models}}

    matched {{ModelMatchCount}} activities, an unexpectedly large number. The destination IPs associated with these matches were:

    {{DestinationIPs}}    
  alertTacticsColumnName: 
  alertDisplayNameFormat: Awake Security - High Model Match Counts On Device {{SourceHostName}}
status: Available
name: Awake Security - High Match Counts By Device
version: 1.0.0
tactics: []
kind: Scheduled

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/90b7ac11-dd6c-4ba1-a99b-737061873859')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/90b7ac11-dd6c-4ba1-a99b-737061873859')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Awake Security - High Match Counts By Device",
        "description": "This query searches for devices with unexpectedly large number of activity match.",
        "severity": "Medium",
        "enabled": true,
        "query": "CommonSecurityLog\n| where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),\n  DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName\n| where ModelMatchCount > 1000 and MaxSeverity > 2\n| extend SeverityName=iff(MaxSeverity == 0, \"Informational\", iff(MaxSeverity < 5, \"Low\", iff(MaxSeverity < 8, \"Medium\", \"High\")))\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "alertRuleTemplateName": "90b7ac11-dd6c-4ba1-a99b-737061873859",
        "incidentConfiguration": {
          "groupingConfiguration": {
            "groupByAlertDetails": [],
            "groupByEntities": [
              "Host"
            ],
            "lookbackDuration": "P3D",
            "groupByCustomDetails": [
              "Device"
            ],
            "reopenClosedIncident": true,
            "enabled": true,
            "matchingMethod": "Selected"
          },
          "createIncident": true
        },
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertSeverityColumnName": "SeverityName",
          "alertDisplayNameFormat": "Awake Security - High Model Match Counts On Device {{SourceHostName}}",
          "alertTacticsColumnName": null,
          "alertDescriptionFormat": "The following Awake model(s):\n\n{{Models}}\n\nmatched {{ModelMatchCount}} activities, an unexpectedly large number. The destination IPs associated with these matches were:\n\n{{DestinationIPs}}"
        },
        "customDetails": {
          "Matches_Dest_IPs": "DestinationIPs",
          "Device": "SourceHostName",
          "Matches_ASP_URLs": "ASPMatchURLs",
          "Matches_Max_Severity": "MaxSeverity",
          "Matched_Models": "Models",
          "Matches_Count": "ModelMatchCount"
        },
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "SourceHostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "SourceIPs"
              }
            ]
          }
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/HighMatchCountsByDevice.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}