Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Radiflow - Suspicious Malicious Activity Detected

Radiflow - Suspicious Malicious Activity Detected

Back
Idecac26b8-147d-478a-9d50-99be4bf14019
RulenameRadiflow - Suspicious Malicious Activity Detected
DescriptionGenerates an incident when malware is detected by Radiflow’s iSID.
SeverityHigh
TacticsDefenseEvasion
InhibitResponseFunction
TechniquesT0851
Required data connectorsRadiflowIsid
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowSuspiciousMaliciousActivityDetected.yaml
Version1.0.0
Arm templateecac26b8-147d-478a-9d50-99be4bf14019.json
Deploy To Azure
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID in (57, 58, 59, 60, 176, 178, 181)

name: Radiflow - Suspicious Malicious Activity Detected
relevantTechniques:
- T0851
incidentConfiguration:
  groupingConfiguration:
    groupByCustomDetails: []
    groupByAlertDetails: []
    enabled: true
    lookbackDuration: 1h
    groupByEntities: []
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
  - RadiflowEvent
  connectorId: RadiflowIsid
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowSuspiciousMaliciousActivityDetected.yaml
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where EventClassID in (57, 58, 59, 60, 176, 178, 181)  
tactics:
- DefenseEvasion
- InhibitResponseFunction
description: |
    'Generates an incident when malware is detected by Radiflow's iSID.'
entityMappings:
- fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
  - columnName: SourceHostName
    identifier: NetBiosName
  entityType: Host
- fieldMappings:
  - columnName: DestinationHostName
    identifier: HostName
  - columnName: DestinationHostName
    identifier: NetBiosName
  entityType: Host
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: DestinationIP
    identifier: Address
  entityType: IP
suppressionEnabled: false
queryFrequency: 1h
alertDetailsOverride:
  alertSeverityColumnName: EventSeverity
  alertDynamicProperties: []
  alertDescriptionFormat: |-
    A possible malware has been detected in the network as specified in the details of the incident. Please verify the source of this activity.

    Message: {{EventMessage}}
    Source device: {{{SourceIP}} 
    Destination device (if any): {{DestinationIP}}    
  alertDisplayNameFormat: 'Suspicious Malicious Activity Detected: {{EventMessage}}'
triggerOperator: gt
suppressionDuration: 5h
version: 1.0.0
queryPeriod: 1h
status: Available
kind: Scheduled
severity: High
triggerThreshold: 0
id: ecac26b8-147d-478a-9d50-99be4bf14019
customDetails:
  SourceVendor: SourceVendor
  Protocol: Protocol
  SourceIP: SourceIP
  SourceMAC: SourceMACAddress
  SourceVLAN: SourceVLAN
  SourceHostName: SourceHostName
  SourceType: SourceType
  DestinationType: DestinationType
  DestinationIP: DestinationIP
  DestinationVendor: DestinationVendor
  DestinationMAC: DestinationMACAddress
  DestinationHostName: DestinationHostName
  Port: Port

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ecac26b8-147d-478a-9d50-99be4bf14019')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ecac26b8-147d-478a-9d50-99be4bf14019')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A possible malware has been detected in the network as specified in the details of the incident. Please verify the source of this activity.\n\nMessage: {{EventMessage}}\nSource device: {{{SourceIP}} \nDestination device (if any): {{DestinationIP}}",
          "alertDisplayNameFormat": "Suspicious Malicious Activity Detected: {{EventMessage}}",
          "alertDynamicProperties": [],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "ecac26b8-147d-478a-9d50-99be4bf14019",
        "customDetails": {
          "DestinationHostName": "DestinationHostName",
          "DestinationIP": "DestinationIP",
          "DestinationMAC": "DestinationMACAddress",
          "DestinationType": "DestinationType",
          "DestinationVendor": "DestinationVendor",
          "Port": "Port",
          "Protocol": "Protocol",
          "SourceHostName": "SourceHostName",
          "SourceIP": "SourceIP",
          "SourceMAC": "SourceMACAddress",
          "SourceType": "SourceType",
          "SourceVendor": "SourceVendor",
          "SourceVLAN": "SourceVLAN"
        },
        "description": "'Generates an incident when malware is detected by Radiflow's iSID.'\n",
        "displayName": "Radiflow - Suspicious Malicious Activity Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "SourceHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DestinationHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowSuspiciousMaliciousActivityDetected.yaml",
        "query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where EventClassID in (57, 58, 59, 60, 176, 178, 181)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "InhibitResponseFunction"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}