Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Awake Security - Model With Multiple Destinations

Awake Security - Model With Multiple Destinations

Back
Iddfa3ec92-bdae-410f-b675-fe1814e4d43e
RulenameAwake Security - Model With Multiple Destinations
DescriptionThis query searches for devices with multiple possibly malicious destinations.
SeverityMedium
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml
Version1.0.2
Arm templatedfa3ec92-bdae-410f-b675-fe1814e4d43e.json
Deploy To Azure
CommonSecurityLog | where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
  DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
| where array_length(DestinationIPs) > 1

description: This query searches for devices with multiple possibly malicious destinations.
version: 1.0.2
tactics: []
queryFrequency: 1h
query: |
  CommonSecurityLog | where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
  | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
    DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
  | where array_length(DestinationIPs) > 1  
status: Available
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
customDetails:
  Matches_Count: ModelMatchCount
  Matched_Models: Models
  Matches_Dest_IPs: DestinationIPs
  Device: SourceHostName
  Matches_ASP_URLs: ASPMatchURLs
  Matches_Max_Severity: MaxSeverity
alertDetailsOverride:
  alertDescriptionFormat: |
    Device {{SourceHostName}} communicated with multiple possibly malicious destinations.  The destination IPs were:

    {{DestinationIPs}}

    The associated with Awake model(s) were:

    {{Models}}    
  alertSeverityColumnName: 
  alertTacticsColumnName: 
  alertDisplayNameFormat: Awake Security - Model Matches With Multiple Destinations On Device {{SourceHostName}}
relevantTechniques: []
id: dfa3ec92-bdae-410f-b675-fe1814e4d43e
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: SourceHostName
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: SourceIPs
  entityType: IP
eventGroupingSettings:
  aggregationKind: AlertPerResult
severity: Medium
name: Awake Security - Model With Multiple Destinations
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: true
    groupByEntities:
    - Host
    groupByCustomDetails:
    - Device
    lookbackDuration: 3d
    enabled: true
    matchingMethod: Selected
    groupByAlertDetails: []
  createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma