Google SecOps - Single-Event Alert
| Id | e5a9b143-7e6c-4f0a-c4b1-9d3f5a8e1c7f |
| Rulename | Google SecOps - Single-Event Alert |
| Description | Creates incidents in Microsoft Sentinel when Google Security Operations raises an active single-event alert (SINGLE_EVENT, riskScore gte 40) at MEDIUM, HIGH, or CRITICAL severity. These alerts represent a single action like malware execution, credential abuse, or defense evasion severe enough to trigger an incident without requiring multi-signal correlation. |
| Severity | High |
| Tactics | Execution CredentialAccess DefenseEvasion Impact |
| Techniques | T1059 T1110 T1562 T1485 |
| Required data connectors | GSDetectionAlerts |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleSecOps/Analytic Rules/GoogleSecOps-SingleEventAlert.yaml |
| Version | 1.0.0 |
| Arm template | e5a9b143-7e6c-4f0a-c4b1-9d3f5a8e1c7f.json |
GoogleSecOpsDetectionAlerts
| where ruleType == "SINGLE_EVENT"
| where severity in ("HIGH", "CRITICAL", "MEDIUM")
| where riskScore >= 40
| where alertState == "ALERTING"
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: varPrincipalIp
- entityType: IP
fieldMappings:
- identifier: Address
columnName: varTargetIp
- entityType: IP
fieldMappings:
- identifier: Address
columnName: varSourceIp
- entityType: IP
fieldMappings:
- identifier: Address
columnName: varCorrelationIp
- entityType: URL
fieldMappings:
- identifier: Url
columnName: urlBackToProduct
tactics:
- Execution
- CredentialAccess
- DefenseEvasion
- Impact
requiredDataConnectors:
- dataTypes:
- DetectionAlerts_CL
connectorId: GSDetectionAlerts
alertDetailsOverride:
alertDisplayNameFormat: 'Single-Event : {{ruleName}} : {{id}}'
alertDescriptionFormat: 'Google SecOps flagged a single high-severity event as an active alert requiring immediate action. Rule: {{ruleName}}.'
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: P1D
groupByCustomDetails:
- alert_identifier
enabled: true
matchingMethod: Selected
createIncident: true
id: e5a9b143-7e6c-4f0a-c4b1-9d3f5a8e1c7f
severity: High
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
customDetails:
TargetUser: varTargetUserUserid
RuleType: ruleType
CorrelationIP: varCorrelationIp
PrincipalIP: varPrincipalIp
RuleName: ruleName
TargetHostname: varTargetHostname
alert_identifier: id
RiskScore: riskScore
Severity: severity
SourceIP: varSourceIp
SourceUser: varSourceUserUserid
TargetIP: varTargetIp
PrincipalHostname: varPrincipalHostname
DetectionTime: detectionTime
PrincipalUser: varPrincipalUserUserid
SourceHostname: varSourceHostname
query: |
GoogleSecOpsDetectionAlerts
| where ruleType == "SINGLE_EVENT"
| where severity in ("HIGH", "CRITICAL", "MEDIUM")
| where riskScore >= 40
| where alertState == "ALERTING"
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleSecOps/Analytic Rules/GoogleSecOps-SingleEventAlert.yaml
kind: Scheduled
queryPeriod: 10m
version: 1.0.0
name: Google SecOps - Single-Event Alert
queryFrequency: 10m
triggerThreshold: 0
relevantTechniques:
- T1059
- T1110
- T1562
- T1485
description: |
Creates incidents in Microsoft Sentinel when Google Security Operations raises an active single-event alert (SINGLE_EVENT, riskScore gte 40) at MEDIUM, HIGH, or CRITICAL severity. These alerts represent a single action like malware execution, credential abuse, or defense evasion severe enough to trigger an incident without requiring multi-signal correlation.
triggerOperator: gt