SSG_Security_Incidents

Back


Id	d41fa731-45a2-4b23-bb1d-29896fbc5298
Rulename	SSG_Security_Incidents
Description	The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization’s internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.
Severity	HIGH
Tactics	Impact
Techniques	T1486
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SINEC Security Guard/Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml
Version	1.0.0
Arm template	d41fa731-45a2-4b23-bb1d-29896fbc5298.json

KQL

SINECSecurityGuard_CL
| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)
| project source_ip, destination_ip, signature_id, signature_name

YAML

alertDetailsOverride:
  alertDisplayNameFormat: '{{signature_name}} '
  alertDynamicProperties: []
  alertDescriptionFormat: 'Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} '
tactics:
- Impact
description: The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.
query: |
  SINECSecurityGuard_CL
  | where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)
  | project source_ip, destination_ip, signature_id, signature_name  
id: d41fa731-45a2-4b23-bb1d-29896fbc5298
customDetails:
  Source_IP: source_ip
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1486
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SINEC Security Guard/Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml
severity: HIGH
entityMappings:
- fieldMappings:
  - columnName: source_ip
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: destination_ip
    identifier: Address
  entityType: IP
name: SSG_Security_Incidents
suppressionDuration: 5h
kind: NRT
suppressionEnabled: false
version: 1.0.0
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByEntities:
    - IP
    reopenClosedIncident: false
    groupByAlertDetails: []
    lookbackDuration: 5m
    enabled: true
    groupByCustomDetails:
    - Source_IP
    matchingMethod: AnyAlert

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d41fa731-45a2-4b23-bb1d-29896fbc5298')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d41fa731-45a2-4b23-bb1d-29896fbc5298')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} ",
          "alertDisplayNameFormat": "{{signature_name}} ",
          "alertDynamicProperties": []
        },
        "alertRuleTemplateName": "d41fa731-45a2-4b23-bb1d-29896fbc5298",
        "customDetails": {
          "Source_IP": "source_ip"
        },
        "description": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.",
        "displayName": "SSG_Security_Incidents",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "source_ip",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "destination_ip",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [
              "Source_IP"
            ],
            "groupByEntities": [
              "IP"
            ],
            "lookbackDuration": "PT5M",
            "matchingMethod": "AnyAlert",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SINEC Security Guard/Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml",
        "query": "SINECSecurityGuard_CL\n| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)\n| project source_ip, destination_ip, signature_id, signature_name\n",
        "severity": "HIGH",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.0"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}