Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Generate alerts based on ExtraHop detections recommended for triage

Back
Idcd65aebc-7e85-4cbb-9f91-ff0376c5d37d
RulenameGenerate alerts based on ExtraHop detections recommended for triage
DescriptionThis analytics rule will generate alerts in Microsoft Sentinel for detections from ExtraHop that are recommended for triage.
SeverityMedium
TacticsPersistence
TechniquesT1546
Required data connectorsExtraHop
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml
Version1.0.2
Arm templatecd65aebc-7e85-4cbb-9f91-ff0376c5d37d.json
Deploy To Azure
ExtraHopDetections
| where IsRecommended == true
alertDetailsOverride:
  alertDescriptionFormat: Alert from {{EventVendor}} for Detection {{Title}} for Id {{Id}}
  alertDisplayNameFormat: Alert from {{EventVendor}} for Detection {{Title}}
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: Url
  - alertProperty: Techniques
    value: TechniqueIds
  - alertProperty: ProductName
    value: EventVendor
  alertSeverityColumnName: Severity
  alertTacticsColumnName: TacticNames
version: 1.0.2
relevantTechniques:
- T1546
description: |
    'This analytics rule will generate alerts in Microsoft Sentinel for detections from ExtraHop that are recommended for triage.'
requiredDataConnectors:
- connectorId: ExtraHop
  dataTypes:
  - ExtraHopDetections
incidentConfiguration:
  createIncident: false
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: cd65aebc-7e85-4cbb-9f91-ff0376c5d37d
tactics:
- Persistence
queryPeriod: 15m
query: |
  ExtraHopDetections
  | where IsRecommended == true  
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: SourceHostname
  entityType: Host
- fieldMappings:
  - identifier: HostName
    columnName: DestinationHostname
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: DestinationIpAddress
  entityType: IP
- fieldMappings:
  - identifier: Name
    columnName: SourceUsername
  entityType: Account
- fieldMappings:
  - identifier: Name
    columnName: DestinationUsername
  entityType: Account
name: Generate alerts based on ExtraHop detections recommended for triage
kind: Scheduled
queryFrequency: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml
triggerOperator: GreaterThan
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cd65aebc-7e85-4cbb-9f91-ff0376c5d37d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cd65aebc-7e85-4cbb-9f91-ff0376c5d37d')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Alert from {{EventVendor}} for Detection {{Title}} for Id {{Id}}",
          "alertDisplayNameFormat": "Alert from {{EventVendor}} for Detection {{Title}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "Url"
            },
            {
              "alertProperty": "Techniques",
              "value": "TechniqueIds"
            },
            {
              "alertProperty": "ProductName",
              "value": "EventVendor"
            }
          ],
          "alertSeverityColumnName": "Severity",
          "alertTacticsColumnName": "TacticNames"
        },
        "alertRuleTemplateName": "cd65aebc-7e85-4cbb-9f91-ff0376c5d37d",
        "customDetails": null,
        "description": "'This analytics rule will generate alerts in Microsoft Sentinel for detections from ExtraHop that are recommended for triage.'\n",
        "displayName": "Generate alerts based on ExtraHop detections recommended for triage",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostname",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIpAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SourceUsername",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "DestinationUsername",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml",
        "query": "ExtraHopDetections\n| where IsRecommended == true\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}