Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Radiflow - Policy Violation Detected

Back
Ida3f4cc3e-2403-4570-8d21-1dedd5632958
RulenameRadiflow - Policy Violation Detected
DescriptionGenerates an incident when an unauthorized session or action is detected either by Radiflow’s iSID.
SeverityMedium
TacticsLateralMovement
ImpairProcessControl
Execution
Collection
Persistence
TechniquesT0886
T0855
T0858
T0845
T0889
T0843
Required data connectorsRadiflowIsid
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPolicyViolationDetected.yaml
Version1.0.0
Arm templatea3f4cc3e-2403-4570-8d21-1dedd5632958.json
Deploy To Azure
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID in (5, 156, 161, 169, 171, 182, 183, 184, 185)
| extend EventMessage = iif(EventMessage == ' ', 'Policy Violation', EventMessage)
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1h
    groupByAlertDetails: []
    groupByEntities: []
    matchingMethod: AllEntities
    reopenClosedIncident: false
    groupByCustomDetails: []
    enabled: true
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPolicyViolationDetected.yaml
version: 1.0.0
suppressionEnabled: false
relevantTechniques:
- T0886
- T0855
- T0858
- T0845
- T0889
- T0843
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: NetBiosName
    columnName: SourceHostName
  - identifier: HostName
    columnName: SourceHostName
- entityType: Host
  fieldMappings:
  - identifier: NetBiosName
    columnName: DestinationHostName
  - identifier: HostName
    columnName: DestinationHostName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIP
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DestinationIP
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
  - RadiflowEvent
  connectorId: RadiflowIsid
customDetails:
  SourceMAC: SourceMACAddress
  SourceVLAN: SourceVLAN
  SourceHostName: SourceHostName
  DestinationMAC: DestinationMACAddress
  SourceType: SourceType
  DestinationVendor: DestinationVendor
  Protocol: Protocol
  SourceIP: SourceIP
  DestinationIP: DestinationIP
  Port: Port
  DestinationHostName: DestinationHostName
  DestinationType: DestinationType
  SourceVendor: SourceVendor
queryPeriod: 1h
status: Available
tactics:
- LateralMovement
- ImpairProcessControl
- Execution
- Collection
- Persistence
kind: Scheduled
triggerOperator: gt
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where EventClassID in (5, 156, 161, 169, 171, 182, 183, 184, 185)
  | extend EventMessage = iif(EventMessage == ' ', 'Policy Violation', EventMessage)  
name: Radiflow - Policy Violation Detected
suppressionDuration: 5h
severity: Medium
alertDetailsOverride:
  alertDescriptionFormat: Recent activity which violates the security policy has been detected in the network. Please check the details for additional information.
  alertDisplayNameFormat: Policy Violation Detected
  alertDynamicProperties: []
  alertSeverityColumnName: EventSeverity
id: a3f4cc3e-2403-4570-8d21-1dedd5632958
queryFrequency: 1h
description: |
    'Generates an incident when an unauthorized session or action is detected either by Radiflow's iSID.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a3f4cc3e-2403-4570-8d21-1dedd5632958')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a3f4cc3e-2403-4570-8d21-1dedd5632958')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Recent activity which violates the security policy has been detected in the network. Please check the details for additional information.",
          "alertDisplayNameFormat": "Policy Violation Detected",
          "alertDynamicProperties": [],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "a3f4cc3e-2403-4570-8d21-1dedd5632958",
        "customDetails": {
          "DestinationHostName": "DestinationHostName",
          "DestinationIP": "DestinationIP",
          "DestinationMAC": "DestinationMACAddress",
          "DestinationType": "DestinationType",
          "DestinationVendor": "DestinationVendor",
          "Port": "Port",
          "Protocol": "Protocol",
          "SourceHostName": "SourceHostName",
          "SourceIP": "SourceIP",
          "SourceMAC": "SourceMACAddress",
          "SourceType": "SourceType",
          "SourceVendor": "SourceVendor",
          "SourceVLAN": "SourceVLAN"
        },
        "description": "'Generates an incident when an unauthorized session or action is detected either by Radiflow's iSID.'\n",
        "displayName": "Radiflow - Policy Violation Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "NetBiosName"
              },
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "NetBiosName"
              },
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPolicyViolationDetected.yaml",
        "query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where EventClassID in (5, 156, 161, 169, 171, 182, 183, 184, 185)\n| extend EventMessage = iif(EventMessage == ' ', 'Policy Violation', EventMessage)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Execution",
          "ImpairProcessControl",
          "LateralMovement",
          "Persistence"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}