let timeFrame = 10m;
datawizaserveraccess_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Status_d >= 500
| summarize Count = count()
| where Count > 100
query: |
let timeFrame = 10m;
datawizaserveraccess_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Status_d >= 500
| summarize Count = count()
| where Count > 100
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Datawiza/Analytic Rules/DatawizaSentinelAlerts.yaml
triggerThreshold: 0
kind: Scheduled
tactics:
- Discovery
eventGroupingSettings:
aggregationKind: SingleAlert
queryFrequency: 10m
name: Datawiza - massive errors detected
description: |
"This rule is designed to identify when the system is experiencing abnormal errors."
alertDetailsOverride:
alertDescriptionFormat: |
Detected {{Count}} errors within 10 minutes. Please investigate unauthorized access attempts or misconfigurations.
alertDisplayNameFormat: Datawiza Massive Error Detection
queryPeriod: 10m
triggerOperator: GreaterThan
id: ddee1398-cf0b-46af-b583-78c3c29156dc
relevantTechniques:
- T1082
severity: Medium
requiredDataConnectors:
- dataTypes:
- datawizaserveraccess_CL
connectorId: DatawizaDapSolution
