Radiflow - Platform Alert
| Id | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 |
| Rulename | Radiflow - Platform Alert |
| Description | Generates an incident when an alert raised by Radiflow’s iSID is not contemplated by any of the other analytic rules |
| Severity | Medium |
| Tactics | PrivilegeEscalation Execution CommandAndControl Exfiltration LateralMovement ImpairProcessControl InhibitResponseFunction InitialAccess |
| Required data connectors | RadiflowIsid |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml |
| Version | 1.0.0 |
| Arm template | ff0c781a-b30f-4acf-9cf1-75d7383d66d1.json |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
entityMappings:
- fieldMappings:
- columnName: SourceHostName
identifier: HostName
- columnName: SourceHostName
identifier: NetBiosName
entityType: Host
- fieldMappings:
- columnName: DestinationHostName
identifier: HostName
- columnName: DestinationHostName
identifier: NetBiosName
entityType: Host
- fieldMappings:
- columnName: SourceIP
identifier: Address
entityType: IP
- fieldMappings:
- columnName: DestinationIP
identifier: Address
entityType: IP
alertDetailsOverride:
alertDynamicProperties: []
alertDisplayNameFormat: Radiflow Platform Alert
alertSeverityColumnName: EventSeverity
alertDescriptionFormat: |
Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\n\nMessage: {{EventMessage}} \nSourceIP: {{SourceIP}} \nDestination IP (if any): {{DestinationIP}}
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml
version: 1.0.0
tactics:
- PrivilegeEscalation
- Execution
- CommandAndControl
- Exfiltration
- LateralMovement
- ImpairProcessControl
- InhibitResponseFunction
- InitialAccess
queryPeriod: 1h
customDetails:
DestinationType: DestinationType
DestinationIP: DestinationIP
SourceVendor: SourceVendor
Protocol: Protocol
DestinationMAC: DestinationMACAddress
SourceVLAN: SourceVLAN
SourceMAC: SourceMACAddress
DestinationVendor: DestinationVendor
SourceHostName: SourceHostName
DestinationHostName: DestinationHostName
Port: Port
SourceIP: SourceIP
SourceType: SourceType
id: ff0c781a-b30f-4acf-9cf1-75d7383d66d1
severity: Medium
query: |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerThreshold: 0
suppressionDuration: 5h
kind: Scheduled
name: Radiflow - Platform Alert
status: Available
description: Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules
relevantTechniques:
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
groupByEntities: []
lookbackDuration: 1h
groupByCustomDetails: []
enabled: true
groupByAlertDetails: []
requiredDataConnectors:
- connectorId: RadiflowIsid
dataTypes:
- RadiflowEvent
queryFrequency: 1h