Datawiza - massive errors detected

Back


Id	ddee1398-cf0b-46af-b583-78c3c29156dc
Rulename	Datawiza - massive errors detected
Description	“This rule is designed to identify when the system is experiencing abnormal errors.”
Severity	Medium
Tactics	Discovery
Techniques	T1082
Required data connectors	DatawizaDapSolution
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Datawiza/Analytic Rules/DatawizaSentinelAlerts.yaml
Version	1.0.0
Arm template	ddee1398-cf0b-46af-b583-78c3c29156dc.json

KQL

let timeFrame = 10m;
datawizaserveraccess_CL
| where TimeGenerated between (ago(timeFrame) .. now())
  and Status_d >= 500
| summarize Count = count()
| where Count > 100

YAML

requiredDataConnectors:
- dataTypes:
  - datawizaserveraccess_CL
  connectorId: DatawizaDapSolution
relevantTechniques:
- T1082
triggerOperator: GreaterThan
version: 1.0.0
queryFrequency: 10m
severity: Medium
triggerThreshold: 0
alertDetailsOverride:
  alertDescriptionFormat: |
        Detected {{Count}} errors within 10 minutes. Please investigate unauthorized access attempts or misconfigurations.
  alertDisplayNameFormat: Datawiza Massive Error Detection
name: Datawiza - massive errors detected
query: |
  let timeFrame = 10m;
  datawizaserveraccess_CL
  | where TimeGenerated between (ago(timeFrame) .. now())
    and Status_d >= 500
  | summarize Count = count()
  | where Count > 100  
tactics:
- Discovery
queryPeriod: 10m
description: |
    "This rule is designed to identify when the system is experiencing abnormal errors."
kind: Scheduled
id: ddee1398-cf0b-46af-b583-78c3c29156dc
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Datawiza/Analytic Rules/DatawizaSentinelAlerts.yaml
eventGroupingSettings:
  aggregationKind: SingleAlert

ARM