Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Awake Security - Model With Multiple Destinations

Back
Iddfa3ec92-bdae-410f-b675-fe1814e4d43e
RulenameAwake Security - Model With Multiple Destinations
DescriptionThis query searches for devices with multiple possibly malicious destinations.
SeverityMedium
Required data connectorsAristaAwakeSecurity
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml
Version1.0.0
Arm templatedfa3ec92-bdae-410f-b675-fe1814e4d43e.json
Deploy To Azure
CommonSecurityLog | where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
  DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
| where array_length(DestinationIPs) > 1
status: Available
id: dfa3ec92-bdae-410f-b675-fe1814e4d43e
name: Awake Security - Model With Multiple Destinations
customDetails:
  Device: SourceHostName
  Matches_Count: ModelMatchCount
  Matches_Dest_IPs: DestinationIPs
  Matches_Max_Severity: MaxSeverity
  Matched_Models: Models
  Matches_ASP_URLs: ASPMatchURLs
kind: Scheduled
requiredDataConnectors:
- connectorId: AristaAwakeSecurity
  dataTypes:
  - CommonSecurityLog (AwakeSecurity)
alertDetailsOverride:
  alertDisplayNameFormat: Awake Security - Model Matches With Multiple Destinations On Device {{SourceHostName}}
  alertSeverityColumnName: 
  alertDescriptionFormat: |
    Device {{SourceHostName}} communicated with multiple possibly malicious destinations.  The destination IPs were:

    {{DestinationIPs}}

    The associated with Awake model(s) were:

    {{Models}}    
  alertTacticsColumnName: 
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 3d
    groupByCustomDetails:
    - Device
    enabled: true
    groupByAlertDetails: []
    groupByEntities:
    - Host
    matchingMethod: Selected
    reopenClosedIncident: true
  createIncident: true
description: This query searches for devices with multiple possibly malicious destinations.
relevantTechniques: []
queryPeriod: 1h
triggerOperator: gt
queryFrequency: 1h
query: |
  CommonSecurityLog | where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
  | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
    DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
  | where array_length(DestinationIPs) > 1  
version: 1.0.0
tactics: []
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: SourceHostName
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: SourceIPs
  entityType: IP
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dfa3ec92-bdae-410f-b675-fe1814e4d43e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dfa3ec92-bdae-410f-b675-fe1814e4d43e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Device {{SourceHostName}} communicated with multiple possibly malicious destinations.  The destination IPs were:\n\n{{DestinationIPs}}\n\nThe associated with Awake model(s) were:\n\n{{Models}}\n",
          "alertDisplayNameFormat": "Awake Security - Model Matches With Multiple Destinations On Device {{SourceHostName}}",
          "alertSeverityColumnName": null,
          "alertTacticsColumnName": null
        },
        "alertRuleTemplateName": "dfa3ec92-bdae-410f-b675-fe1814e4d43e",
        "customDetails": {
          "Device": "SourceHostName",
          "Matched_Models": "Models",
          "Matches_ASP_URLs": "ASPMatchURLs",
          "Matches_Count": "ModelMatchCount",
          "Matches_Dest_IPs": "DestinationIPs",
          "Matches_Max_Severity": "MaxSeverity"
        },
        "description": "This query searches for devices with multiple possibly malicious destinations.",
        "displayName": "Awake Security - Model With Multiple Destinations",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIPs",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [
              "Device"
            ],
            "groupByEntities": [
              "Host"
            ],
            "lookbackDuration": "P3D",
            "matchingMethod": "Selected",
            "reopenClosedIncident": true
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml",
        "query": "CommonSecurityLog | where DeviceVendor == \"Arista Networks\" and DeviceProduct == \"Awake Security\"\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),\n  DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName\n| where array_length(DestinationIPs) > 1\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}