Google SecOps - Multi-Event Correlated Alert
| Id | d4f8a032-6d5b-4e9f-b3a0-8c2e4f7d0b6e |
| Rulename | Google SecOps - Multi-Event Correlated Alert |
| Description | Creates incidents in Microsoft Sentinel when Google Security Operations raises an active multi-event correlated alert (MULTI_EVENT, riskScore gte 40) at HIGH or CRITICAL severity. These alerts indicate complex attack patterns like lateral movement, staged persistence, or command-and-control identified by correlating multiple signals across a time window. |
| Severity | High |
| Tactics | LateralMovement Persistence PrivilegeEscalation CommandAndControl |
| Techniques | T1210 T1021 T1053 T1055 |
| Required data connectors | GSDetectionAlerts |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleSecOps/Analytic Rules/GoogleSecOps-MultiEventCorrelatedAlert.yaml |
| Version | 1.0.0 |
| Arm template | d4f8a032-6d5b-4e9f-b3a0-8c2e4f7d0b6e.json |
GoogleSecOpsDetectionAlerts
| where ruleType == "MULTI_EVENT"
| where severity in ("HIGH", "CRITICAL")
| where riskScore >= 40
| where alertState == "ALERTING"
customDetails:
TargetUser: varTargetUserUserid
RuleType: ruleType
DetectionTime: detectionTime
SourceHostname: varSourceHostname
alert_identifier: id
PrincipalIPCount: varPrincipalIpCount
SourceUser: varSourceUserUserid
CorrelationIP: varCorrelationIp
RiskScore: riskScore
SourceIPCount: varSourceIpCount
Severity: severity
PrincipalHostname: varPrincipalHostname
PrincipalIP: varPrincipalIp
PrincipalUser: varPrincipalUserUserid
RuleName: ruleName
TargetHostname: varTargetHostname
SourceIP: varSourceIp
TargetIP: varTargetIp
entityMappings:
- fieldMappings:
- columnName: varPrincipalIp
identifier: Address
entityType: IP
- fieldMappings:
- columnName: varTargetIp
identifier: Address
entityType: IP
- fieldMappings:
- columnName: varSourceIp
identifier: Address
entityType: IP
- fieldMappings:
- columnName: varCorrelationIp
identifier: Address
entityType: IP
- fieldMappings:
- columnName: urlBackToProduct
identifier: Url
entityType: URL
alertDetailsOverride:
alertDisplayNameFormat: 'Multi-Event Correlation: {{ruleName}} : {{id}}'
alertDescriptionFormat: 'Google SecOps correlated multiple events into a confirmed alert. Rule: {{ruleName}}.'
status: Available
queryFrequency: 10m
tactics:
- LateralMovement
- Persistence
- PrivilegeEscalation
- CommandAndControl
triggerThreshold: 0
query: |
GoogleSecOpsDetectionAlerts
| where ruleType == "MULTI_EVENT"
| where severity in ("HIGH", "CRITICAL")
| where riskScore >= 40
| where alertState == "ALERTING"
queryPeriod: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleSecOps/Analytic Rules/GoogleSecOps-MultiEventCorrelatedAlert.yaml
relevantTechniques:
- T1210
- T1021
- T1053
- T1055
version: 1.0.0
kind: Scheduled
requiredDataConnectors:
- dataTypes:
- DetectionAlerts_CL
connectorId: GSDetectionAlerts
triggerOperator: gt
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByCustomDetails:
- alert_identifier
enabled: true
lookbackDuration: P1D
matchingMethod: Selected
reopenClosedIncident: true
severity: High
id: d4f8a032-6d5b-4e9f-b3a0-8c2e4f7d0b6e
eventGroupingSettings:
aggregationKind: AlertPerResult
description: |
Creates incidents in Microsoft Sentinel when Google Security Operations raises an active multi-event correlated alert (MULTI_EVENT, riskScore gte 40) at HIGH or CRITICAL severity. These alerts indicate complex attack patterns like lateral movement, staged persistence, or command-and-control identified by correlating multiple signals across a time window.
name: Google SecOps - Multi-Event Correlated Alert