Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Radiflow - Unauthorized Internet Access

Radiflow - Unauthorized Internet Access

Back
Idcc33e1a9-e167-460b-93e6-f14af652dbd3
RulenameRadiflow - Unauthorized Internet Access
DescriptionGenerates an incident when an unauthorized link between the network and the Internet is detected by Radiflow’s iSID.
SeverityMedium
TacticsInitialAccess
Impact
TechniquesT0822
T0883
T0882
Required data connectorsRadiflowIsid
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedInternetAccess.yaml
Version1.0.0
Arm templatecc33e1a9-e167-460b-93e6-f14af652dbd3.json
Deploy To Azure
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID in (55, 147, 193, 194)

query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where EventClassID in (55, 147, 193, 194)  
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: SourceHostName
  - identifier: NetBiosName
    columnName: SourceHostName
  entityType: Host
- fieldMappings:
  - identifier: HostName
    columnName: DestinationHostName
  - identifier: NetBiosName
    columnName: DestinationHostName
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: DestinationIP
  entityType: IP
alertDetailsOverride:
  alertDisplayNameFormat: Unauthorized Internet Access
  alertSeverityColumnName: EventSeverity
  alertDescriptionFormat: "An external connection to the network has been detected. Please check whether this activity is legitimate and the external device is authorized to connect.\n\nMessage: {{EventMessage}}\nSource device: {{SourceIP}} \nDestination device (if any): {{DestinationIP}} "
  alertDynamicProperties: []
triggerOperator: gt
incidentConfiguration:
  groupingConfiguration:
    groupByCustomDetails: []
    groupByEntities: []
    lookbackDuration: 1h
    reopenClosedIncident: false
    groupByAlertDetails: []
    matchingMethod: AllEntities
    enabled: true
  createIncident: true
description: Generates an incident when an unauthorized link between the network and the Internet is detected by Radiflow's iSID.
suppressionDuration: 5h
tactics:
- InitialAccess
- Impact
severity: Medium
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowUnauthorizedInternetAccess.yaml
kind: Scheduled
name: Radiflow - Unauthorized Internet Access
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
status: Available
suppressionEnabled: false
id: cc33e1a9-e167-460b-93e6-f14af652dbd3
requiredDataConnectors:
- connectorId: RadiflowIsid
  dataTypes:
  - RadiflowEvent
relevantTechniques:
- T0822
- T0883
- T0882
version: 1.0.0
customDetails:
  SourceHostName: SourceHostName
  DestinationHostName: DestinationHostName
  SourceVLAN: SourceVLAN
  DestinationVendor: DestinationVendor
  DestinationType: DestinationType
  SourceType: SourceType
  SourceVendor: SourceVendor
  SourceIP: SourceIP
  DestinationIP: DestinationIP
  DestinationMAC: DestinationMACAddress
  SourceMAC: SourceMACAddress
  Protocol: Protocol
  Port: Port
queryPeriod: 1h