Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Datawiza - massive errors detected

Back
Idddee1398-cf0b-46af-b583-78c3c29156dc
RulenameDatawiza - massive errors detected
Description“This rule is designed to identify when the system is experiencing abnormal errors.”
SeverityMedium
TacticsDiscovery
TechniquesT1082
Required data connectorsDatawizaDapSolution
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Datawiza/Analytic Rules/DatawizaSentinelAlerts.yaml
Version1.0.0
Arm templateddee1398-cf0b-46af-b583-78c3c29156dc.json
Deploy To Azure
let timeFrame = 10m;
datawizaserveraccess_CL
| where TimeGenerated between (ago(timeFrame) .. now())
  and Status_d >= 500
| summarize Count = count()
| where Count > 100
id: ddee1398-cf0b-46af-b583-78c3c29156dc
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Datawiza/Analytic Rules/DatawizaSentinelAlerts.yaml
eventGroupingSettings:
  aggregationKind: SingleAlert
requiredDataConnectors:
- dataTypes:
  - datawizaserveraccess_CL
  connectorId: DatawizaDapSolution
queryFrequency: 10m
alertDetailsOverride:
  alertDisplayNameFormat: Datawiza Massive Error Detection
  alertDescriptionFormat: |
        Detected {{Count}} errors within 10 minutes. Please investigate unauthorized access attempts or misconfigurations.
queryPeriod: 10m
triggerThreshold: 0
query: |
  let timeFrame = 10m;
  datawizaserveraccess_CL
  | where TimeGenerated between (ago(timeFrame) .. now())
    and Status_d >= 500
  | summarize Count = count()
  | where Count > 100  
name: Datawiza - massive errors detected
kind: Scheduled
tactics:
- Discovery
severity: Medium
relevantTechniques:
- T1082
version: 1.0.0
description: |
    "This rule is designed to identify when the system is experiencing abnormal errors."