Google SecOps - Detection Alerts
| Id | f6b0c254-8f7d-4a1b-d5c2-0e4a6b9f2d8a |
| Rulename | Google SecOps - Detection Alerts |
| Description | Creates one incident per active Google Security Operations detection alert in Microsoft Sentinel. Covers all rule types and severity levels with no additional filtering, providing broad visibility across all Google SecOps alerts. Use alongside focused rules for complete detection coverage. |
| Severity | Medium |
| Tactics | InitialAccess DefenseEvasion LateralMovement PrivilegeEscalation CommandAndControl |
| Techniques | T1078 T1021 T1566 |
| Required data connectors | GSDetectionAlerts |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleSecOps/Analytic Rules/GoogleSecOps-DetectionAlerts.yaml |
| Version | 1.0.0 |
| Arm template | f6b0c254-8f7d-4a1b-d5c2-0e4a6b9f2d8a.json |
GoogleSecOpsDetectionAlerts
| where alertState == "ALERTING"
description: |
Creates one incident per active Google Security Operations detection alert in Microsoft Sentinel. Covers all rule types and severity levels with no additional filtering, providing broad visibility across all Google SecOps alerts. Use alongside focused rules for complete detection coverage.
kind: Scheduled
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
lookbackDuration: P1D
reopenClosedIncident: false
groupByCustomDetails:
- alert_identifier
matchingMethod: Selected
alertDetailsOverride:
alertDisplayNameFormat: 'Google SecOps Alert: {{ruleName}} : {{id}}'
alertDescriptionFormat: 'Google SecOps detection alert. Rule: {{ruleName}}. Severity: {{severity}}. Type: {{ruleType}}.'
query: |
GoogleSecOpsDetectionAlerts
| where alertState == "ALERTING"
requiredDataConnectors:
- connectorId: GSDetectionAlerts
dataTypes:
- DetectionAlerts_CL
version: 1.0.0
entityMappings:
- fieldMappings:
- identifier: Address
columnName: varPrincipalIp
entityType: IP
- fieldMappings:
- identifier: Address
columnName: varTargetIp
entityType: IP
- fieldMappings:
- identifier: Address
columnName: varSourceIp
entityType: IP
- fieldMappings:
- identifier: Address
columnName: varCorrelationIp
entityType: IP
- fieldMappings:
- identifier: Url
columnName: urlBackToProduct
entityType: URL
triggerOperator: gt
id: f6b0c254-8f7d-4a1b-d5c2-0e4a6b9f2d8a
triggerThreshold: 0
customDetails:
SourceHostname: varSourceHostname
CorrelationIP: varCorrelationIp
RuleName: ruleName
DetectionType: detectionType
RuleId: ruleId
TargetIP: varTargetIp
PrincipalUser: varPrincipalUserUserid
TargetUser: varTargetUserUserid
alert_identifier: id
TargetHostname: varTargetHostname
RuleType: ruleType
AlertState: alertState
SourceUser: varSourceUserUserid
PrincipalHostname: varPrincipalHostname
RiskScore: riskScore
DetectionTime: detectionTime
PrincipalIP: varPrincipalIp
SourceIP: varSourceIp
Severity: severity
tactics:
- InitialAccess
- DefenseEvasion
- LateralMovement
- PrivilegeEscalation
- CommandAndControl
name: Google SecOps - Detection Alerts
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleSecOps/Analytic Rules/GoogleSecOps-DetectionAlerts.yaml
status: Available
queryFrequency: 10m
queryPeriod: 10m
relevantTechniques:
- T1078
- T1021
- T1566
eventGroupingSettings:
aggregationKind: AlertPerResult
severity: Medium