ExtraHopDetections
| where IsRecommended == true
entityMappings:
- fieldMappings:
- columnName: SourceHostname
identifier: HostName
entityType: Host
- fieldMappings:
- columnName: DestinationHostname
identifier: HostName
entityType: Host
- fieldMappings:
- columnName: SourceIpAddress
identifier: Address
entityType: IP
- fieldMappings:
- columnName: DestinationIpAddress
identifier: Address
entityType: IP
- fieldMappings:
- columnName: SourceUsername
identifier: Name
entityType: Account
- fieldMappings:
- columnName: DestinationUsername
identifier: Name
entityType: Account
alertDetailsOverride:
alertDisplayNameFormat: Alert from {{EventVendor}} for Detection {{Title}}
alertDescriptionFormat: Alert from {{EventVendor}} for Detection {{Title}} for Id {{Id}}
alertDynamicProperties:
- alertProperty: AlertLink
value: Url
- alertProperty: Techniques
value: TechniqueIds
- alertProperty: ProductName
value: EventVendor
alertTacticsColumnName: TacticNames
alertSeverityColumnName: Severity
status: Available
queryFrequency: 15m
tactics:
- Persistence
triggerThreshold: 0
query: |
ExtraHopDetections
| where IsRecommended == true
queryPeriod: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml
relevantTechniques:
- T1546
version: 1.0.2
kind: Scheduled
requiredDataConnectors:
- dataTypes:
- ExtraHopDetections
connectorId: ExtraHop
triggerOperator: GreaterThan
incidentConfiguration:
createIncident: false
severity: Medium
id: cd65aebc-7e85-4cbb-9f91-ff0376c5d37d
eventGroupingSettings:
aggregationKind: AlertPerResult
description: |
'This analytics rule will generate alerts in Microsoft Sentinel for detections from ExtraHop that are recommended for triage.'
name: Generate alerts based on ExtraHop detections recommended for triage
