AIShield - Tabular classification AI Model Evasion low suspicious vulnerability detection

Back


Id	af245eff-0db9-4df8-82e6-998185cac332
Rulename	AIShield - Tabular classification AI Model Evasion low suspicious vulnerability detection
Description	This alert creates an incident when Tabular classification AI Model Evasion Low suspicious, medium severity vulnerability detected from the AIShield.
Severity	Medium
Required data connectors	BoschAIShield
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield AI Security Monitoring/Analytic Rules/TabularClassificationModelEvasionLowSuspiciousVulnDetection.yaml
Version	1.0.4
Arm template	af245eff-0db9-4df8-82e6-998185cac332.json

KQL

AIShield
| where Message has 'Tabular Classification AI Model Evasion Attack Identified'
| where Severity =~ 'Medium'
| where SuspiciousLevel =~ 'low suspicious attack'
| extend NTDomain = tostring(split(Computer, '\\')[0]), HostName = tostring(split(Computer, '.')[0])

YAML

id: af245eff-0db9-4df8-82e6-998185cac332
tactics: []
queryPeriod: 1h
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerThreshold: 0
name: AIShield - Tabular classification AI Model Evasion low suspicious vulnerability detection
query: |
  AIShield
  | where Message has 'Tabular Classification AI Model Evasion Attack Identified'
  | where Severity =~ 'Medium'
  | where SuspiciousLevel =~ 'low suspicious attack'
  | extend NTDomain = tostring(split(Computer, '\\')[0]), HostName = tostring(split(Computer, '.')[0])  
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield AI Security Monitoring/Analytic Rules/TabularClassificationModelEvasionLowSuspiciousVulnDetection.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: BoschAIShield
  dataTypes:
  - AIShield
version: 1.0.4
description: |
    'This alert creates an incident when Tabular classification AI Model Evasion Low suspicious, medium severity vulnerability detected from the AIShield.'
status: Available
alertDetailsOverride:
  alertDisplayNameFormat: AIShield - Tabular Classification AI Model Evasion low suspicious vulnerability detected.
  alertSeverityColumnName: Severity
  alertDescriptionFormat: |
        This query detects Tabular Classification AI Model Evasion low suspicious, medium severity alert from AIShield generated at {{TimeGenerated}}.\n\nPlease check the source for more information and investigate further.
  alertTacticsColumnName: 
entityMappings:
- fieldMappings:
  - columnName: HostName
    identifier: HostName
  - columnName: NTDomain
    identifier: NTDomain
  entityType: Host
- fieldMappings:
  - columnName: SourceName
    identifier: Address
  entityType: IP

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af245eff-0db9-4df8-82e6-998185cac332')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af245eff-0db9-4df8-82e6-998185cac332')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "This query detects Tabular Classification AI Model Evasion low suspicious, medium severity alert from AIShield generated at {{TimeGenerated}}.\\n\\nPlease check the source for more information and investigate further.\n",
          "alertDisplayNameFormat": "AIShield - Tabular Classification AI Model Evasion low suspicious vulnerability detected.",
          "alertSeverityColumnName": "Severity",
          "alertTacticsColumnName": null
        },
        "alertRuleTemplateName": "af245eff-0db9-4df8-82e6-998185cac332",
        "customDetails": null,
        "description": "'This alert creates an incident when Tabular classification AI Model Evasion Low suspicious, medium severity vulnerability detected from the AIShield.'\n",
        "displayName": "AIShield - Tabular classification AI Model Evasion low suspicious vulnerability detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceName",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield AI Security Monitoring/Analytic Rules/TabularClassificationModelEvasionLowSuspiciousVulnDetection.yaml",
        "query": "AIShield\n| where Message has 'Tabular Classification AI Model Evasion Attack Identified'\n| where Severity =~ 'Medium'\n| where SuspiciousLevel =~ 'low suspicious attack'\n| extend NTDomain = tostring(split(Computer, '\\\\')[0]), HostName = tostring(split(Computer, '.')[0])\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}