Radiflow - Policy Violation Detected

Back


Id	a3f4cc3e-2403-4570-8d21-1dedd5632958
Rulename	Radiflow - Policy Violation Detected
Description	Generates an incident when an unauthorized session or action is detected either by Radiflow’s iSID.
Severity	Medium
Tactics	LateralMovement ImpairProcessControl Execution Collection Persistence
Techniques	T0886 T0855 T0858 T0845 T0889 T0843
Required data connectors	RadiflowIsid
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPolicyViolationDetected.yaml
Version	1.0.0
Arm template	a3f4cc3e-2403-4570-8d21-1dedd5632958.json

KQL

RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID in (5, 156, 161, 169, 171, 182, 183, 184, 185)
| extend EventMessage = iif(EventMessage == ' ', 'Policy Violation', EventMessage)

YAML

queryFrequency: 1h
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- connectorId: RadiflowIsid
  dataTypes:
  - RadiflowEvent
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByEntities: []
    reopenClosedIncident: false
    matchingMethod: AllEntities
    groupByAlertDetails: []
    enabled: true
    lookbackDuration: 1h
    groupByCustomDetails: []
suppressionDuration: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPolicyViolationDetected.yaml
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where EventClassID in (5, 156, 161, 169, 171, 182, 183, 184, 185)
  | extend EventMessage = iif(EventMessage == ' ', 'Policy Violation', EventMessage)  
customDetails:
  SourceVLAN: SourceVLAN
  SourceMAC: SourceMACAddress
  Protocol: Protocol
  DestinationVendor: DestinationVendor
  DestinationType: DestinationType
  SourceVendor: SourceVendor
  SourceIP: SourceIP
  DestinationMAC: DestinationMACAddress
  DestinationIP: DestinationIP
  Port: Port
  DestinationHostName: DestinationHostName
  SourceType: SourceType
  SourceHostName: SourceHostName
relevantTechniques:
- T0886
- T0855
- T0858
- T0845
- T0889
- T0843
name: Radiflow - Policy Violation Detected
description: |
    'Generates an incident when an unauthorized session or action is detected either by Radiflow's iSID.'
severity: Medium
queryPeriod: 1h
alertDetailsOverride:
  alertDynamicProperties: []
  alertDescriptionFormat: Recent activity which violates the security policy has been detected in the network. Please check the details for additional information.
  alertSeverityColumnName: EventSeverity
  alertDisplayNameFormat: Policy Violation Detected
triggerOperator: gt
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: NetBiosName
    columnName: SourceHostName
  - identifier: HostName
    columnName: SourceHostName
- entityType: Host
  fieldMappings:
  - identifier: NetBiosName
    columnName: DestinationHostName
  - identifier: HostName
    columnName: DestinationHostName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIP
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DestinationIP
status: Available
tactics:
- LateralMovement
- ImpairProcessControl
- Execution
- Collection
- Persistence
id: a3f4cc3e-2403-4570-8d21-1dedd5632958
version: 1.0.0
kind: Scheduled
triggerThreshold: 0

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a3f4cc3e-2403-4570-8d21-1dedd5632958')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a3f4cc3e-2403-4570-8d21-1dedd5632958')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Recent activity which violates the security policy has been detected in the network. Please check the details for additional information.",
          "alertDisplayNameFormat": "Policy Violation Detected",
          "alertDynamicProperties": [],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "a3f4cc3e-2403-4570-8d21-1dedd5632958",
        "customDetails": {
          "DestinationHostName": "DestinationHostName",
          "DestinationIP": "DestinationIP",
          "DestinationMAC": "DestinationMACAddress",
          "DestinationType": "DestinationType",
          "DestinationVendor": "DestinationVendor",
          "Port": "Port",
          "Protocol": "Protocol",
          "SourceHostName": "SourceHostName",
          "SourceIP": "SourceIP",
          "SourceMAC": "SourceMACAddress",
          "SourceType": "SourceType",
          "SourceVendor": "SourceVendor",
          "SourceVLAN": "SourceVLAN"
        },
        "description": "'Generates an incident when an unauthorized session or action is detected either by Radiflow's iSID.'\n",
        "displayName": "Radiflow - Policy Violation Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "NetBiosName"
              },
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "NetBiosName"
              },
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPolicyViolationDetected.yaml",
        "query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where EventClassID in (5, 156, 161, 169, 171, 182, 183, 184, 185)\n| extend EventMessage = iif(EventMessage == ' ', 'Policy Violation', EventMessage)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Execution",
          "ImpairProcessControl",
          "LateralMovement",
          "Persistence"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}