// You can leave out Anomalies that are already monitored through other Analytics Rules
//let _MonitoredRules = dynamic(["TestAlertName"]);
let query_frequency = 1h;
let query_lookback = 3d;
Anomalies
| where TimeGenerated > ago(query_frequency)
//| where not(RuleName has_any (_MonitoredRules))
| join kind = leftanti (
Anomalies
| where TimeGenerated between (ago(query_frequency + query_lookback)..ago(query_frequency))
| distinct RuleName
) on RuleName
| extend Name = tostring(split(UserPrincipalName, "@")[0]), UPNSuffix = tostring(split(UserPrincipalName, "@")[1])
queryPeriod: 4d
query: |
// You can leave out Anomalies that are already monitored through other Analytics Rules
//let _MonitoredRules = dynamic(["TestAlertName"]);
let query_frequency = 1h;
let query_lookback = 3d;
Anomalies
| where TimeGenerated > ago(query_frequency)
//| where not(RuleName has_any (_MonitoredRules))
| join kind = leftanti (
Anomalies
| where TimeGenerated between (ago(query_frequency + query_lookback)..ago(query_frequency))
| distinct RuleName
) on RuleName
| extend Name = tostring(split(UserPrincipalName, "@")[0]), UPNSuffix = tostring(split(UserPrincipalName, "@")[1])
name: Unusual Anomaly
techniques: []
entityMappings:
- fieldMappings:
- columnName: UserPrincipalName
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Anomalies/UnusualAnomaly.yaml
alertDetailsOverride:
alertDisplayNameFormat: Unusual Anomaly - {{RuleName}}
alertDynamicProperties:
- value: Techniques
alertProperty: Techniques
alertTacticsColumnName: Tactics
description: |
'Anomaly Rules generate events in the Anomalies table. This scheduled rule tries to detect Anomalies that are not usual, they could be a type of Anomaly that has recently been activated, or an infrequent type. The detected Anomaly should be reviewed, if it is relevant enough, eventually a separate scheduled Analytics Rule could be created specifically for that Anomaly Type, so an alert and/or incident is generated everytime that type of Anomaly happens.'
kind: Scheduled
version: 1.0.3
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 1h
severity: Medium
requiredDataConnectors: []
triggerOperator: gt
triggerThreshold: 0
tactics: []
id: d0255b5f-2a3c-4112-8744-e6757af3283a