Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Radiflow - Platform Alert

Back
Idff0c781a-b30f-4acf-9cf1-75d7383d66d1
RulenameRadiflow - Platform Alert
DescriptionGenerates an incident when an alert raised by Radiflow’s iSID is not contemplated by any of the other analytic rules
SeverityMedium
TacticsPrivilegeEscalation
Execution
CommandAndControl
Exfiltration
LateralMovement
ImpairProcessControl
InhibitResponseFunction
InitialAccess
Required data connectorsRadiflowIsid
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml
Version1.0.0
Arm templateff0c781a-b30f-4acf-9cf1-75d7383d66d1.json
Deploy To Azure
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)  
queryPeriod: 1h
suppressionDuration: 5h
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml
severity: Medium
customDetails:
  SourceIP: SourceIP
  SourceMAC: SourceMACAddress
  SourceType: SourceType
  DestinationType: DestinationType
  Protocol: Protocol
  DestinationVendor: DestinationVendor
  SourceVLAN: SourceVLAN
  SourceHostName: SourceHostName
  DestinationIP: DestinationIP
  DestinationMAC: DestinationMACAddress
  Port: Port
  SourceVendor: SourceVendor
  DestinationHostName: DestinationHostName
kind: Scheduled
id: ff0c781a-b30f-4acf-9cf1-75d7383d66d1
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
name: Radiflow - Platform Alert
alertDetailsOverride:
  alertDescriptionFormat: |
        Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\n\nMessage: {{EventMessage}} \nSourceIP: {{SourceIP}} \nDestination IP (if any): {{DestinationIP}}
  alertDynamicProperties: []
  alertSeverityColumnName: EventSeverity
  alertDisplayNameFormat: Radiflow Platform Alert
requiredDataConnectors:
- dataTypes:
  - RadiflowEvent
  connectorId: RadiflowIsid
suppressionEnabled: false
triggerThreshold: 0
description: Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules
triggerOperator: gt
tactics:
- PrivilegeEscalation
- Execution
- CommandAndControl
- Exfiltration
- LateralMovement
- ImpairProcessControl
- InhibitResponseFunction
- InitialAccess
queryFrequency: 1h
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByCustomDetails: []
    lookbackDuration: 1h
    groupByAlertDetails: []
    matchingMethod: AllEntities
    groupByEntities: []
    reopenClosedIncident: false
    enabled: true
relevantTechniques: 
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: SourceHostName
  - identifier: NetBiosName
    columnName: SourceHostName
  entityType: Host
- fieldMappings:
  - identifier: HostName
    columnName: DestinationHostName
  - identifier: NetBiosName
    columnName: DestinationHostName
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: DestinationIP
  entityType: IP
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ff0c781a-b30f-4acf-9cf1-75d7383d66d1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ff0c781a-b30f-4acf-9cf1-75d7383d66d1')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\\n\\nMessage: {{EventMessage}} \\nSourceIP: {{SourceIP}} \\nDestination IP (if any): {{DestinationIP}}\n",
          "alertDisplayNameFormat": "Radiflow Platform Alert",
          "alertDynamicProperties": [],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "ff0c781a-b30f-4acf-9cf1-75d7383d66d1",
        "customDetails": {
          "DestinationHostName": "DestinationHostName",
          "DestinationIP": "DestinationIP",
          "DestinationMAC": "DestinationMACAddress",
          "DestinationType": "DestinationType",
          "DestinationVendor": "DestinationVendor",
          "Port": "Port",
          "Protocol": "Protocol",
          "SourceHostName": "SourceHostName",
          "SourceIP": "SourceIP",
          "SourceMAC": "SourceMACAddress",
          "SourceType": "SourceType",
          "SourceVendor": "SourceVendor",
          "SourceVLAN": "SourceVLAN"
        },
        "description": "Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules",
        "displayName": "Radiflow - Platform Alert",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "SourceHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DestinationHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml",
        "query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Execution",
          "Exfiltration",
          "ImpairProcessControl",
          "InhibitResponseFunction",
          "InitialAccess",
          "LateralMovement",
          "PrivilegeEscalation"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}