ExtraHopDetections
| where IsRecommended == true
queryFrequency: 15m
incidentConfiguration:
createIncident: false
triggerThreshold: 0
eventGroupingSettings:
aggregationKind: AlertPerResult
name: Generate alerts based on ExtraHop detections recommended for triage
relevantTechniques:
- T1546
id: cd65aebc-7e85-4cbb-9f91-ff0376c5d37d
query: |
ExtraHopDetections
| where IsRecommended == true
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml
entityMappings:
- entityType: Host
fieldMappings:
- columnName: SourceHostname
identifier: HostName
- entityType: Host
fieldMappings:
- columnName: DestinationHostname
identifier: HostName
- entityType: IP
fieldMappings:
- columnName: SourceIpAddress
identifier: Address
- entityType: IP
fieldMappings:
- columnName: DestinationIpAddress
identifier: Address
- entityType: Account
fieldMappings:
- columnName: SourceUsername
identifier: Name
- entityType: Account
fieldMappings:
- columnName: DestinationUsername
identifier: Name
alertDetailsOverride:
alertTacticsColumnName: TacticNames
alertDisplayNameFormat: Alert from {{EventVendor}} for Detection {{Title}}
alertSeverityColumnName: Severity
alertDescriptionFormat: Alert from {{EventVendor}} for Detection {{Title}} for Id {{Id}}
alertDynamicProperties:
- value: Url
alertProperty: AlertLink
- value: TechniqueIds
alertProperty: Techniques
- value: EventVendor
alertProperty: ProductName
version: 1.0.2
queryPeriod: 15m
tactics:
- Persistence
triggerOperator: GreaterThan
requiredDataConnectors:
- dataTypes:
- ExtraHopDetections
connectorId: ExtraHop
status: Available
kind: Scheduled
description: |
'This analytics rule will generate alerts in Microsoft Sentinel for detections from ExtraHop that are recommended for triage.'
