Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Create alerts based on recommended detections from ExtraHop

Back
Idcd65aebc-7e85-4cbb-9f91-ff0376c5d37d
RulenameCreate alerts based on recommended detections from ExtraHop
DescriptionThis Analytic rule will generate alerts in Microsoft Sentinel for Recommended detections from ExtraHop.
SeverityMedium
TacticsPersistence
TechniquesT1546
Required data connectorsExtraHop
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml
Version1.0.0
Arm templatecd65aebc-7e85-4cbb-9f91-ff0376c5d37d.json
Deploy To Azure
ExtraHopDetections
| where IsRecommended == true
status: Available
id: cd65aebc-7e85-4cbb-9f91-ff0376c5d37d
alertDetailsOverride:
  alertDescriptionFormat: Alert from {{EventVendor}} for Detection {{Title}} for Id {{Id}}
  alertDynamicProperties:
  - alertProperty: AlertLink
    columnName: Url
  - alertProperty: Techniques
    columnName: TechniqueIds
  - alertProperty: ProductName
    columnName: EventVendor
  alertDisplayNameFormat: Alert from {{EventVendor}} for Detection {{Title}}
  alertTacticsColumnName: TacticNames
  alertSeverityColumnName: Severity
query: |
  ExtraHopDetections
  | where IsRecommended == true  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml
description: |
    'This Analytic rule will generate alerts in Microsoft Sentinel for Recommended detections from ExtraHop.'
name: Create alerts based on recommended detections from ExtraHop
incidentConfiguration:
  createIncident: false
relevantTechniques:
- T1546
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SourceHostname
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DestinationHostname
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DestinationIpAddress
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: SourceUsername
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: DestinationUsername
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- dataTypes:
  - ExtraHopDetections
  connectorId: ExtraHop
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 15m
queryPeriod: 15m
version: 1.0.0
kind: Scheduled
tactics:
- Persistence
triggerOperator: GreaterThan
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cd65aebc-7e85-4cbb-9f91-ff0376c5d37d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cd65aebc-7e85-4cbb-9f91-ff0376c5d37d')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Alert from {{EventVendor}} for Detection {{Title}} for Id {{Id}}",
          "alertDisplayNameFormat": "Alert from {{EventVendor}} for Detection {{Title}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "columnName": "Url"
            },
            {
              "alertProperty": "Techniques",
              "columnName": "TechniqueIds"
            },
            {
              "alertProperty": "ProductName",
              "columnName": "EventVendor"
            }
          ],
          "alertSeverityColumnName": "Severity",
          "alertTacticsColumnName": "TacticNames"
        },
        "alertRuleTemplateName": "cd65aebc-7e85-4cbb-9f91-ff0376c5d37d",
        "customDetails": null,
        "description": "'This Analytic rule will generate alerts in Microsoft Sentinel for Recommended detections from ExtraHop.'\n",
        "displayName": "Create alerts based on recommended detections from ExtraHop",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIpAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SourceUsername",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "DestinationUsername",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml",
        "query": "ExtraHopDetections\n| where IsRecommended == true\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}