Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Generate alerts based on ExtraHop detections recommended for triage

Generate alerts based on ExtraHop detections recommended for triage

Back
Idcd65aebc-7e85-4cbb-9f91-ff0376c5d37d
RulenameGenerate alerts based on ExtraHop detections recommended for triage
DescriptionThis analytics rule will generate alerts in Microsoft Sentinel for detections from ExtraHop that are recommended for triage.
SeverityMedium
TacticsPersistence
TechniquesT1546
Required data connectorsExtraHop
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml
Version1.0.2
Arm templatecd65aebc-7e85-4cbb-9f91-ff0376c5d37d.json
Deploy To Azure
ExtraHopDetections
| where IsRecommended == true

queryPeriod: 15m
query: |
  ExtraHopDetections
  | where IsRecommended == true  
name: Generate alerts based on ExtraHop detections recommended for triage
entityMappings:
- fieldMappings:
  - columnName: SourceHostname
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: DestinationHostname
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: DestinationIpAddress
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: SourceUsername
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: DestinationUsername
    identifier: Name
  entityType: Account
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml
alertDetailsOverride:
  alertDynamicProperties:
  - value: Url
    alertProperty: AlertLink
  - value: TechniqueIds
    alertProperty: Techniques
  - value: EventVendor
    alertProperty: ProductName
  alertSeverityColumnName: Severity
  alertDescriptionFormat: Alert from {{EventVendor}} for Detection {{Title}} for Id {{Id}}
  alertDisplayNameFormat: Alert from {{EventVendor}} for Detection {{Title}}
  alertTacticsColumnName: TacticNames
requiredDataConnectors:
- connectorId: ExtraHop
  dataTypes:
  - ExtraHopDetections
description: |
    'This analytics rule will generate alerts in Microsoft Sentinel for detections from ExtraHop that are recommended for triage.'
kind: Scheduled
incidentConfiguration:
  createIncident: false
version: 1.0.2
status: Available
severity: Medium
relevantTechniques:
- T1546
triggerOperator: GreaterThan
triggerThreshold: 0
tactics:
- Persistence
id: cd65aebc-7e85-4cbb-9f91-ff0376c5d37d