ExtraHopDetections
| where IsRecommended == true
name: Generate alerts based on ExtraHop detections recommended for triage
alertDetailsOverride:
alertDynamicProperties:
- value: Url
alertProperty: AlertLink
- value: TechniqueIds
alertProperty: Techniques
- value: EventVendor
alertProperty: ProductName
alertDisplayNameFormat: Alert from {{EventVendor}} for Detection {{Title}}
alertTacticsColumnName: TacticNames
alertSeverityColumnName: Severity
alertDescriptionFormat: Alert from {{EventVendor}} for Detection {{Title}} for Id {{Id}}
id: cd65aebc-7e85-4cbb-9f91-ff0376c5d37d
description: |
'This analytics rule will generate alerts in Microsoft Sentinel for detections from ExtraHop that are recommended for triage.'
triggerThreshold: 0
entityMappings:
- fieldMappings:
- columnName: SourceHostname
identifier: HostName
entityType: Host
- fieldMappings:
- columnName: DestinationHostname
identifier: HostName
entityType: Host
- fieldMappings:
- columnName: SourceIpAddress
identifier: Address
entityType: IP
- fieldMappings:
- columnName: DestinationIpAddress
identifier: Address
entityType: IP
- fieldMappings:
- columnName: SourceUsername
identifier: Name
entityType: Account
- fieldMappings:
- columnName: DestinationUsername
identifier: Name
entityType: Account
version: 1.0.2
triggerOperator: GreaterThan
query: |
ExtraHopDetections
| where IsRecommended == true
tactics:
- Persistence
kind: Scheduled
queryFrequency: 15m
severity: Medium
incidentConfiguration:
createIncident: false
queryPeriod: 15m
requiredDataConnectors:
- dataTypes:
- ExtraHopDetections
connectorId: ExtraHop
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1546
