Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Awake Security - High Severity Matches By Device

Awake Security - High Severity Matches By Device

Back
Idd5e012c2-29ba-4a02-a813-37b928aafe2d
RulenameAwake Security - High Severity Matches By Device
DescriptionThis query searches for devices with high severity event(s).
SeverityMedium
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/HighSeverityMatchesByDevice.yaml
Version1.0.2
Arm templated5e012c2-29ba-4a02-a813-37b928aafe2d.json
Deploy To Azure
CommonSecurityLog
| where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security" and toint(LogSeverity) > 6
| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
  DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(todecimal  (LogSeverity)) by SourceHostName

triggerOperator: gt
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 3d
    enabled: true
    groupByAlertDetails: []
    reopenClosedIncident: true
    matchingMethod: Selected
    groupByCustomDetails:
    - Device
    groupByEntities:
    - Host
  createIncident: true
queryFrequency: 1h
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
relevantTechniques: []
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SourceHostName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIPs
query: |
  CommonSecurityLog
  | where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security" and toint(LogSeverity) > 6
  | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
    DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(todecimal  (LogSeverity)) by SourceHostName  
triggerThreshold: 0
customDetails:
  Matches_Count: ModelMatchCount
  Matches_Max_Severity: MaxSeverity
  Matched_Models: Models
  Matches_ASP_URLs: ASPMatchURLs
  Device: SourceHostName
  Matches_Dest_IPs: DestinationIPs
alertDetailsOverride:
  alertDisplayNameFormat: Awake Security - High Severity Matches On Device {{SourceHostName}}
  alertSeverityColumnName: MaxSeverity
  alertTacticsColumnName: 
  alertDescriptionFormat: |
    Device {{SourceHostName}} matched the following high-severity Awake model(s):

    {{Models}}

    The destination IPs associated with these matches were:

    {{DestinationIPs}}    
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/HighSeverityMatchesByDevice.yaml
queryPeriod: 1h
name: Awake Security - High Severity Matches By Device
status: Available
kind: Scheduled
description: This query searches for devices with high severity event(s).
id: d5e012c2-29ba-4a02-a813-37b928aafe2d
version: 1.0.2
eventGroupingSettings:
  aggregationKind: AlertPerResult
tactics: []
severity: Medium