Awake Security - Model With Multiple Destinations

Back


Id	dfa3ec92-bdae-410f-b675-fe1814e4d43e
Rulename	Awake Security - Model With Multiple Destinations
Description	This query searches for devices with multiple possibly malicious destinations.
Severity	Medium
Required data connectors	CefAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml
Version	1.0.2
Arm template	dfa3ec92-bdae-410f-b675-fe1814e4d43e.json

KQL

CommonSecurityLog | where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
  DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
| where array_length(DestinationIPs) > 1

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic Rules/ModelMatchesWithMultipleDestinationsByDevice.yaml
queryPeriod: 1h
description: This query searches for devices with multiple possibly malicious destinations.
triggerThreshold: 0
name: Awake Security - Model With Multiple Destinations
triggerOperator: gt
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SourceHostName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIPs
kind: Scheduled
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
customDetails:
  Matches_ASP_URLs: ASPMatchURLs
  Matches_Max_Severity: MaxSeverity
  Matched_Models: Models
  Matches_Dest_IPs: DestinationIPs
  Matches_Count: ModelMatchCount
  Device: SourceHostName
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 1h
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 3d
    matchingMethod: Selected
    enabled: true
    groupByCustomDetails:
    - Device
    groupByEntities:
    - Host
    reopenClosedIncident: true
    groupByAlertDetails: []
tactics: []
id: dfa3ec92-bdae-410f-b675-fe1814e4d43e
status: Available
version: 1.0.2
query: |
  CommonSecurityLog | where DeviceVendor == "Arista Networks" and DeviceProduct == "Awake Security"
  | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), Models=make_set(Activity), ASPMatchURLs=make_set(DeviceCustomString2), SourceIPs=make_set(SourceIP),
    DestinationIPs=make_set(DestinationIP), ModelMatchCount=sum(EventCount), MaxSeverity=max(toint(LogSeverity)) by SourceHostName
  | where array_length(DestinationIPs) > 1  
alertDetailsOverride:
  alertDescriptionFormat: |
    Device {{SourceHostName}} communicated with multiple possibly malicious destinations.  The destination IPs were:

    {{DestinationIPs}}

    The associated with Awake model(s) were:

    {{Models}}    
  alertTacticsColumnName: 
  alertDisplayNameFormat: Awake Security - Model Matches With Multiple Destinations On Device {{SourceHostName}}
  alertSeverityColumnName: 
severity: Medium
relevantTechniques: []

ARM