SSG_Security_Incidents

Back


Id	d41fa731-45a2-4b23-bb1d-29896fbc5298
Rulename	SSG_Security_Incidents
Description	The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization’s internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.
Severity	HIGH
Tactics	Impact
Techniques	T1486
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SINEC Security Guard/Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml
Version	1.0.0
Arm template	d41fa731-45a2-4b23-bb1d-29896fbc5298.json

KQL

SINECSecurityGuard_CL
| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)
| project source_ip, destination_ip, signature_id, signature_name

YAML

relevantTechniques:
- T1486
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5m
    groupByCustomDetails:
    - Source_IP
    groupByAlertDetails: []
    enabled: true
    reopenClosedIncident: false
    matchingMethod: AnyAlert
    groupByEntities:
    - IP
name: SSG_Security_Incidents
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: source_ip
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: destination_ip
  entityType: IP
query: |
  SINECSecurityGuard_CL
  | where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)
  | project source_ip, destination_ip, signature_id, signature_name  
id: d41fa731-45a2-4b23-bb1d-29896fbc5298
tactics:
- Impact
version: 1.0.0
customDetails:
  Source_IP: source_ip
alertDetailsOverride:
  alertDynamicProperties: []
  alertDisplayNameFormat: '{{signature_name}} '
  alertDescriptionFormat: 'Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} '
kind: NRT
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SINEC Security Guard/Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml
suppressionDuration: 5h
severity: HIGH
suppressionEnabled: false
description: The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d41fa731-45a2-4b23-bb1d-29896fbc5298')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d41fa731-45a2-4b23-bb1d-29896fbc5298')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} ",
          "alertDisplayNameFormat": "{{signature_name}} ",
          "alertDynamicProperties": []
        },
        "alertRuleTemplateName": "d41fa731-45a2-4b23-bb1d-29896fbc5298",
        "customDetails": {
          "Source_IP": "source_ip"
        },
        "description": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.",
        "displayName": "SSG_Security_Incidents",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "source_ip",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "destination_ip",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [
              "Source_IP"
            ],
            "groupByEntities": [
              "IP"
            ],
            "lookbackDuration": "PT5M",
            "matchingMethod": "AnyAlert",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SINEC Security Guard/Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml",
        "query": "SINECSecurityGuard_CL\n| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)\n| project source_ip, destination_ip, signature_id, signature_name\n",
        "severity": "HIGH",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.0"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}