Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Radiflow - Suspicious Malicious Activity Detected

Radiflow - Suspicious Malicious Activity Detected

Back
Idecac26b8-147d-478a-9d50-99be4bf14019
RulenameRadiflow - Suspicious Malicious Activity Detected
DescriptionGenerates an incident when malware is detected by Radiflow’s iSID.
SeverityHigh
TacticsDefenseEvasion
InhibitResponseFunction
TechniquesT0851
Required data connectorsRadiflowIsid
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowSuspiciousMaliciousActivityDetected.yaml
Version1.0.0
Arm templateecac26b8-147d-478a-9d50-99be4bf14019.json
Deploy To Azure
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID in (57, 58, 59, 60, 176, 178, 181)

queryFrequency: 1h
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- connectorId: RadiflowIsid
  dataTypes:
  - RadiflowEvent
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByEntities: []
    reopenClosedIncident: false
    matchingMethod: AllEntities
    groupByAlertDetails: []
    enabled: true
    lookbackDuration: 1h
    groupByCustomDetails: []
suppressionDuration: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowSuspiciousMaliciousActivityDetected.yaml
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where EventClassID in (57, 58, 59, 60, 176, 178, 181)  
customDetails:
  SourceVLAN: SourceVLAN
  SourceMAC: SourceMACAddress
  Protocol: Protocol
  DestinationVendor: DestinationVendor
  DestinationType: DestinationType
  SourceVendor: SourceVendor
  DestinationHostName: DestinationHostName
  SourceIP: SourceIP
  DestinationMAC: DestinationMACAddress
  Port: Port
  DestinationIP: DestinationIP
  SourceType: SourceType
  SourceHostName: SourceHostName
relevantTechniques:
- T0851
name: Radiflow - Suspicious Malicious Activity Detected
description: |
    'Generates an incident when malware is detected by Radiflow's iSID.'
severity: High
queryPeriod: 1h
alertDetailsOverride:
  alertDynamicProperties: []
  alertDescriptionFormat: |-
    A possible malware has been detected in the network as specified in the details of the incident. Please verify the source of this activity.

    Message: {{EventMessage}}
    Source device: {{{SourceIP}} 
    Destination device (if any): {{DestinationIP}}    
  alertSeverityColumnName: EventSeverity
  alertDisplayNameFormat: 'Suspicious Malicious Activity Detected: {{EventMessage}}'
triggerOperator: gt
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SourceHostName
  - identifier: NetBiosName
    columnName: SourceHostName
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DestinationHostName
  - identifier: NetBiosName
    columnName: DestinationHostName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIP
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DestinationIP
status: Available
tactics:
- DefenseEvasion
- InhibitResponseFunction
id: ecac26b8-147d-478a-9d50-99be4bf14019
version: 1.0.0
kind: Scheduled
triggerThreshold: 0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ecac26b8-147d-478a-9d50-99be4bf14019')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ecac26b8-147d-478a-9d50-99be4bf14019')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A possible malware has been detected in the network as specified in the details of the incident. Please verify the source of this activity.\n\nMessage: {{EventMessage}}\nSource device: {{{SourceIP}} \nDestination device (if any): {{DestinationIP}}",
          "alertDisplayNameFormat": "Suspicious Malicious Activity Detected: {{EventMessage}}",
          "alertDynamicProperties": [],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "ecac26b8-147d-478a-9d50-99be4bf14019",
        "customDetails": {
          "DestinationHostName": "DestinationHostName",
          "DestinationIP": "DestinationIP",
          "DestinationMAC": "DestinationMACAddress",
          "DestinationType": "DestinationType",
          "DestinationVendor": "DestinationVendor",
          "Port": "Port",
          "Protocol": "Protocol",
          "SourceHostName": "SourceHostName",
          "SourceIP": "SourceIP",
          "SourceMAC": "SourceMACAddress",
          "SourceType": "SourceType",
          "SourceVendor": "SourceVendor",
          "SourceVLAN": "SourceVLAN"
        },
        "description": "'Generates an incident when malware is detected by Radiflow's iSID.'\n",
        "displayName": "Radiflow - Suspicious Malicious Activity Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "SourceHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DestinationHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowSuspiciousMaliciousActivityDetected.yaml",
        "query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where EventClassID in (57, 58, 59, 60, 176, 178, 181)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "InhibitResponseFunction"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}