Radiflow - Platform Alert
| Id | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 |
| Rulename | Radiflow - Platform Alert |
| Description | Generates an incident when an alert raised by Radiflow’s iSID is not contemplated by any of the other analytic rules |
| Severity | Medium |
| Tactics | PrivilegeEscalation Execution CommandAndControl Exfiltration LateralMovement ImpairProcessControl InhibitResponseFunction InitialAccess |
| Required data connectors | RadiflowIsid |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml |
| Version | 1.0.0 |
| Arm template | ff0c781a-b30f-4acf-9cf1-75d7383d66d1.json |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
kind: Scheduled
triggerOperator: gt
queryFrequency: 1h
suppressionDuration: 5h
customDetails:
SourceIP: SourceIP
DestinationVendor: DestinationVendor
Protocol: Protocol
DestinationMAC: DestinationMACAddress
DestinationType: DestinationType
SourceType: SourceType
SourceHostName: SourceHostName
Port: Port
SourceMAC: SourceMACAddress
DestinationIP: DestinationIP
SourceVLAN: SourceVLAN
DestinationHostName: DestinationHostName
SourceVendor: SourceVendor
id: ff0c781a-b30f-4acf-9cf1-75d7383d66d1
queryPeriod: 1h
relevantTechniques:
entityMappings:
- entityType: Host
fieldMappings:
- columnName: SourceHostName
identifier: HostName
- columnName: SourceHostName
identifier: NetBiosName
- entityType: Host
fieldMappings:
- columnName: DestinationHostName
identifier: HostName
- columnName: DestinationHostName
identifier: NetBiosName
- entityType: IP
fieldMappings:
- columnName: SourceIP
identifier: Address
- entityType: IP
fieldMappings:
- columnName: DestinationIP
identifier: Address
query: |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
name: Radiflow - Platform Alert
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.0
severity: Medium
alertDetailsOverride:
alertSeverityColumnName: EventSeverity
alertDescriptionFormat: |
Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\n\nMessage: {{EventMessage}} \nSourceIP: {{SourceIP}} \nDestination IP (if any): {{DestinationIP}}
alertDisplayNameFormat: Radiflow Platform Alert
alertDynamicProperties: []
suppressionEnabled: false
tactics:
- PrivilegeEscalation
- Execution
- CommandAndControl
- Exfiltration
- LateralMovement
- ImpairProcessControl
- InhibitResponseFunction
- InitialAccess
requiredDataConnectors:
- connectorId: RadiflowIsid
dataTypes:
- RadiflowEvent
incidentConfiguration:
groupingConfiguration:
groupByCustomDetails: []
lookbackDuration: 1h
reopenClosedIncident: false
enabled: true
matchingMethod: AllEntities
groupByAlertDetails: []
groupByEntities: []
createIncident: true
status: Available
triggerThreshold: 0
description: Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml