Radiflow - Platform Alert
| Id | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 |
| Rulename | Radiflow - Platform Alert |
| Description | Generates an incident when an alert raised by Radiflow’s iSID is not contemplated by any of the other analytic rules |
| Severity | Medium |
| Tactics | PrivilegeEscalation Execution CommandAndControl Exfiltration LateralMovement ImpairProcessControl InhibitResponseFunction InitialAccess |
| Required data connectors | RadiflowIsid |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml |
| Version | 1.0.0 |
| Arm template | ff0c781a-b30f-4acf-9cf1-75d7383d66d1.json |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
alertDetailsOverride:
alertSeverityColumnName: EventSeverity
alertDynamicProperties: []
alertDescriptionFormat: |
Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\n\nMessage: {{EventMessage}} \nSourceIP: {{SourceIP}} \nDestination IP (if any): {{DestinationIP}}
alertDisplayNameFormat: Radiflow Platform Alert
kind: Scheduled
severity: Medium
eventGroupingSettings:
aggregationKind: AlertPerResult
tactics:
- PrivilegeEscalation
- Execution
- CommandAndControl
- Exfiltration
- LateralMovement
- ImpairProcessControl
- InhibitResponseFunction
- InitialAccess
suppressionDuration: 5h
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: 1h
groupByCustomDetails: []
groupByAlertDetails: []
matchingMethod: AllEntities
enabled: true
groupByEntities: []
createIncident: true
status: Available
triggerThreshold: 0
queryPeriod: 1h
entityMappings:
- fieldMappings:
- columnName: SourceHostName
identifier: HostName
- columnName: SourceHostName
identifier: NetBiosName
entityType: Host
- fieldMappings:
- columnName: DestinationHostName
identifier: HostName
- columnName: DestinationHostName
identifier: NetBiosName
entityType: Host
- fieldMappings:
- columnName: SourceIP
identifier: Address
entityType: IP
- fieldMappings:
- columnName: DestinationIP
identifier: Address
entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml
query: |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
triggerOperator: gt
id: ff0c781a-b30f-4acf-9cf1-75d7383d66d1
requiredDataConnectors:
- dataTypes:
- RadiflowEvent
connectorId: RadiflowIsid
relevantTechniques:
name: Radiflow - Platform Alert
queryFrequency: 1h
suppressionEnabled: false
version: 1.0.0
description: Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules
customDetails:
Protocol: Protocol
DestinationIP: DestinationIP
SourceType: SourceType
DestinationVendor: DestinationVendor
DestinationMAC: DestinationMACAddress
SourceMAC: SourceMACAddress
DestinationType: DestinationType
SourceVLAN: SourceVLAN
DestinationHostName: DestinationHostName
SourceVendor: SourceVendor
Port: Port
SourceIP: SourceIP
SourceHostName: SourceHostName