Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Radiflow - Unauthorized Internet Access

Radiflow - Unauthorized Internet Access

Back
Idcc33e1a9-e167-460b-93e6-f14af652dbd3
RulenameRadiflow - Unauthorized Internet Access
DescriptionGenerates an incident when an unauthorized link between the network and the Internet is detected by Radiflow’s iSID.
SeverityMedium
TacticsInitialAccess
Impact
TechniquesT0822
T0883
T0882
Required data connectorsRadiflowIsid
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedInternetAccess.yaml
Version1.0.0
Arm templatecc33e1a9-e167-460b-93e6-f14af652dbd3.json
Deploy To Azure
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID in (55, 147, 193, 194)

queryPeriod: 1h
status: Available
triggerOperator: gt
queryFrequency: 1h
description: Generates an incident when an unauthorized link between the network and the Internet is detected by Radiflow's iSID.
requiredDataConnectors:
- dataTypes:
  - RadiflowEvent
  connectorId: RadiflowIsid
suppressionEnabled: false
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where EventClassID in (55, 147, 193, 194)  
severity: Medium
alertDetailsOverride:
  alertDescriptionFormat: "An external connection to the network has been detected. Please check whether this activity is legitimate and the external device is authorized to connect.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} "
  alertDisplayNameFormat: Unauthorized Internet Access
  alertDynamicProperties: []
  alertSeverityColumnName: EventSeverity
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedInternetAccess.yaml
tactics:
- InitialAccess
- Impact
entityMappings:
- fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
  - columnName: SourceHostName
    identifier: NetBiosName
  entityType: Host
- fieldMappings:
  - columnName: DestinationHostName
    identifier: HostName
  - columnName: DestinationHostName
    identifier: NetBiosName
  entityType: Host
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: DestinationIP
    identifier: Address
  entityType: IP
relevantTechniques:
- T0822
- T0883
- T0882
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Radiflow - Unauthorized Internet Access
triggerThreshold: 0
suppressionDuration: 5h
id: cc33e1a9-e167-460b-93e6-f14af652dbd3
customDetails:
  SourceMAC: SourceMACAddress
  SourceType: SourceType
  DestinationIP: DestinationIP
  SourceVLAN: SourceVLAN
  SourceHostName: SourceHostName
  DestinationHostName: DestinationHostName
  DestinationType: DestinationType
  SourceVendor: SourceVendor
  Protocol: Protocol
  DestinationVendor: DestinationVendor
  SourceIP: SourceIP
  DestinationMAC: DestinationMACAddress
  Port: Port
version: 1.0.0
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    lookbackDuration: 1h
    groupByAlertDetails: []
    matchingMethod: AllEntities
    groupByEntities: []
    groupByCustomDetails: []
    reopenClosedIncident: false
kind: Scheduled

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cc33e1a9-e167-460b-93e6-f14af652dbd3')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cc33e1a9-e167-460b-93e6-f14af652dbd3')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "An external connection to the network has been detected. Please check whether this activity is legitimate and the external device is authorized to connect.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} ",
          "alertDisplayNameFormat": "Unauthorized Internet Access",
          "alertDynamicProperties": [],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "cc33e1a9-e167-460b-93e6-f14af652dbd3",
        "customDetails": {
          "DestinationHostName": "DestinationHostName",
          "DestinationIP": "DestinationIP",
          "DestinationMAC": "DestinationMACAddress",
          "DestinationType": "DestinationType",
          "DestinationVendor": "DestinationVendor",
          "Port": "Port",
          "Protocol": "Protocol",
          "SourceHostName": "SourceHostName",
          "SourceIP": "SourceIP",
          "SourceMAC": "SourceMACAddress",
          "SourceType": "SourceType",
          "SourceVendor": "SourceVendor",
          "SourceVLAN": "SourceVLAN"
        },
        "description": "Generates an incident when an unauthorized link between the network and the Internet is detected by Radiflow's iSID.",
        "displayName": "Radiflow - Unauthorized Internet Access",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "SourceHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DestinationHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedInternetAccess.yaml",
        "query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where EventClassID in (55, 147, 193, 194)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact",
          "InitialAccess"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}