SINECSecurityGuard_CL
| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)
| project source_ip, destination_ip, signature_id, signature_name
suppressionEnabled: false
severity: HIGH
alertDetailsOverride:
alertDescriptionFormat: 'Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} '
alertDynamicProperties: []
alertDisplayNameFormat: '{{signature_name}} '
description: The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SINEC Security Guard/Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml
entityMappings:
- fieldMappings:
- columnName: source_ip
identifier: Address
entityType: IP
- fieldMappings:
- columnName: destination_ip
identifier: Address
entityType: IP
suppressionDuration: 5h
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 5m
groupByAlertDetails: []
enabled: true
matchingMethod: AnyAlert
groupByEntities:
- IP
reopenClosedIncident: false
groupByCustomDetails:
- Source_IP
createIncident: true
name: SSG_Security_Incidents
id: d41fa731-45a2-4b23-bb1d-29896fbc5298
relevantTechniques:
- T1486
tactics:
- Impact
customDetails:
Source_IP: source_ip
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |
SINECSecurityGuard_CL
| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)
| project source_ip, destination_ip, signature_id, signature_name
kind: NRT
