Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Generate alerts based on ExtraHop detections recommended for triage

Back
Idcd65aebc-7e85-4cbb-9f91-ff0376c5d37d
RulenameGenerate alerts based on ExtraHop detections recommended for triage
DescriptionThis analytics rule will generate alerts in Microsoft Sentinel for detections from ExtraHop that are recommended for triage.
SeverityMedium
TacticsPersistence
TechniquesT1546
Required data connectorsExtraHop
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml
Version1.0.2
Arm templatecd65aebc-7e85-4cbb-9f91-ff0376c5d37d.json
Deploy To Azure
ExtraHopDetections
| where IsRecommended == true
name: Generate alerts based on ExtraHop detections recommended for triage
tactics:
- Persistence
alertDetailsOverride:
  alertDescriptionFormat: Alert from {{EventVendor}} for Detection {{Title}} for Id {{Id}}
  alertDynamicProperties:
  - value: Url
    alertProperty: AlertLink
  - value: TechniqueIds
    alertProperty: Techniques
  - value: EventVendor
    alertProperty: ProductName
  alertDisplayNameFormat: Alert from {{EventVendor}} for Detection {{Title}}
  alertSeverityColumnName: Severity
  alertTacticsColumnName: TacticNames
description: |
    'This analytics rule will generate alerts in Microsoft Sentinel for detections from ExtraHop that are recommended for triage.'
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: SourceHostname
    identifier: HostName
- entityType: Host
  fieldMappings:
  - columnName: DestinationHostname
    identifier: HostName
- entityType: IP
  fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: DestinationIpAddress
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: SourceUsername
    identifier: Name
- entityType: Account
  fieldMappings:
  - columnName: DestinationUsername
    identifier: Name
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml
version: 1.0.2
triggerThreshold: 0
queryFrequency: 15m
incidentConfiguration:
  createIncident: false
kind: Scheduled
triggerOperator: GreaterThan
relevantTechniques:
- T1546
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- connectorId: ExtraHop
  dataTypes:
  - ExtraHopDetections
severity: Medium
queryPeriod: 15m
status: Available
query: |
  ExtraHopDetections
  | where IsRecommended == true  
id: cd65aebc-7e85-4cbb-9f91-ff0376c5d37d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cd65aebc-7e85-4cbb-9f91-ff0376c5d37d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cd65aebc-7e85-4cbb-9f91-ff0376c5d37d')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Alert from {{EventVendor}} for Detection {{Title}} for Id {{Id}}",
          "alertDisplayNameFormat": "Alert from {{EventVendor}} for Detection {{Title}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "Url"
            },
            {
              "alertProperty": "Techniques",
              "value": "TechniqueIds"
            },
            {
              "alertProperty": "ProductName",
              "value": "EventVendor"
            }
          ],
          "alertSeverityColumnName": "Severity",
          "alertTacticsColumnName": "TacticNames"
        },
        "alertRuleTemplateName": "cd65aebc-7e85-4cbb-9f91-ff0376c5d37d",
        "customDetails": null,
        "description": "'This analytics rule will generate alerts in Microsoft Sentinel for detections from ExtraHop that are recommended for triage.'\n",
        "displayName": "Generate alerts based on ExtraHop detections recommended for triage",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIpAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SourceUsername",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "DestinationUsername",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml",
        "query": "ExtraHopDetections\n| where IsRecommended == true\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}