Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Radiflow - Platform Alert

Back
Idff0c781a-b30f-4acf-9cf1-75d7383d66d1
RulenameRadiflow - Platform Alert
DescriptionGenerates an incident when an alert raised by Radiflow’s iSID is not contemplated by any of the other analytic rules
SeverityMedium
TacticsPrivilegeEscalation
Execution
CommandAndControl
Exfiltration
LateralMovement
ImpairProcessControl
InhibitResponseFunction
InitialAccess
Required data connectorsRadiflowIsid
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml
Version1.0.0
Arm templateff0c781a-b30f-4acf-9cf1-75d7383d66d1.json
Deploy To Azure
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
triggerThreshold: 0
queryPeriod: 1h
customDetails:
  DestinationMAC: DestinationMACAddress
  Port: Port
  SourceMAC: SourceMACAddress
  SourceIP: SourceIP
  DestinationType: DestinationType
  DestinationVendor: DestinationVendor
  SourceType: SourceType
  SourceHostName: SourceHostName
  SourceVendor: SourceVendor
  DestinationIP: DestinationIP
  SourceVLAN: SourceVLAN
  Protocol: Protocol
  DestinationHostName: DestinationHostName
version: 1.0.0
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml
relevantTechniques: 
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByAlertDetails: []
    groupByCustomDetails: []
    reopenClosedIncident: false
    enabled: true
    matchingMethod: AllEntities
    groupByEntities: []
    lookbackDuration: 1h
suppressionEnabled: false
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)  
queryFrequency: 1h
suppressionDuration: 5h
id: ff0c781a-b30f-4acf-9cf1-75d7383d66d1
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: SourceHostName
  - identifier: NetBiosName
    columnName: SourceHostName
  entityType: Host
- fieldMappings:
  - identifier: HostName
    columnName: DestinationHostName
  - identifier: NetBiosName
    columnName: DestinationHostName
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: DestinationIP
  entityType: IP
triggerOperator: gt
description: Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules
status: Available
requiredDataConnectors:
- connectorId: RadiflowIsid
  dataTypes:
  - RadiflowEvent
alertDetailsOverride:
  alertDescriptionFormat: |
        Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\n\nMessage: {{EventMessage}} \nSourceIP: {{SourceIP}} \nDestination IP (if any): {{DestinationIP}}
  alertDynamicProperties: []
  alertDisplayNameFormat: Radiflow Platform Alert
  alertSeverityColumnName: EventSeverity
severity: Medium
name: Radiflow - Platform Alert
tactics:
- PrivilegeEscalation
- Execution
- CommandAndControl
- Exfiltration
- LateralMovement
- ImpairProcessControl
- InhibitResponseFunction
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ff0c781a-b30f-4acf-9cf1-75d7383d66d1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ff0c781a-b30f-4acf-9cf1-75d7383d66d1')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\\n\\nMessage: {{EventMessage}} \\nSourceIP: {{SourceIP}} \\nDestination IP (if any): {{DestinationIP}}\n",
          "alertDisplayNameFormat": "Radiflow Platform Alert",
          "alertDynamicProperties": [],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "ff0c781a-b30f-4acf-9cf1-75d7383d66d1",
        "customDetails": {
          "DestinationHostName": "DestinationHostName",
          "DestinationIP": "DestinationIP",
          "DestinationMAC": "DestinationMACAddress",
          "DestinationType": "DestinationType",
          "DestinationVendor": "DestinationVendor",
          "Port": "Port",
          "Protocol": "Protocol",
          "SourceHostName": "SourceHostName",
          "SourceIP": "SourceIP",
          "SourceMAC": "SourceMACAddress",
          "SourceType": "SourceType",
          "SourceVendor": "SourceVendor",
          "SourceVLAN": "SourceVLAN"
        },
        "description": "Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules",
        "displayName": "Radiflow - Platform Alert",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "SourceHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DestinationHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml",
        "query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Execution",
          "Exfiltration",
          "ImpairProcessControl",
          "InhibitResponseFunction",
          "InitialAccess",
          "LateralMovement",
          "PrivilegeEscalation"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}