SINECSecurityGuard_CL
| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)
| project source_ip, destination_ip, signature_id, signature_name
relevantTechniques:
- T1486
query: |
SINECSecurityGuard_CL
| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)
| project source_ip, destination_ip, signature_id, signature_name
tactics:
- Impact
suppressionDuration: 5h
alertDetailsOverride:
alertDescriptionFormat: 'Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} '
alertDisplayNameFormat: '{{signature_name}} '
alertDynamicProperties: []
entityMappings:
- entityType: IP
fieldMappings:
- columnName: source_ip
identifier: Address
- entityType: IP
fieldMappings:
- columnName: destination_ip
identifier: Address
kind: NRT
customDetails:
Source_IP: source_ip
description: The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.
severity: HIGH
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 5m
groupByEntities:
- IP
groupByAlertDetails: []
enabled: true
reopenClosedIncident: false
matchingMethod: AnyAlert
groupByCustomDetails:
- Source_IP
eventGroupingSettings:
aggregationKind: AlertPerResult
id: d41fa731-45a2-4b23-bb1d-29896fbc5298
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SINEC Security Guard/Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml
name: SSG_Security_Incidents
suppressionEnabled: false
version: 1.0.0
