Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Radiflow - Platform Alert

Back
Idff0c781a-b30f-4acf-9cf1-75d7383d66d1
RulenameRadiflow - Platform Alert
DescriptionGenerates an incident when an alert raised by Radiflow’s iSID is not contemplated by any of the other analytic rules
SeverityMedium
TacticsPrivilegeEscalation
Execution
CommandAndControl
Exfiltration
LateralMovement
ImpairProcessControl
InhibitResponseFunction
InitialAccess
Required data connectorsRadiflowIsid
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml
Version1.0.0
Arm templateff0c781a-b30f-4acf-9cf1-75d7383d66d1.json
Deploy To Azure
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
id: ff0c781a-b30f-4acf-9cf1-75d7383d66d1
requiredDataConnectors:
- connectorId: RadiflowIsid
  dataTypes:
  - RadiflowEvent
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
  - columnName: SourceHostName
    identifier: NetBiosName
- entityType: Host
  fieldMappings:
  - columnName: DestinationHostName
    identifier: HostName
  - columnName: DestinationHostName
    identifier: NetBiosName
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: DestinationIP
    identifier: Address
version: 1.0.0
description: Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules
queryPeriod: 1h
suppressionDuration: 5h
query: |
  RadiflowEvent
  | where DeviceProduct =~ 'iSID'
  | where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)  
triggerThreshold: 0
name: Radiflow - Platform Alert
customDetails:
  DestinationIP: DestinationIP
  SourceIP: SourceIP
  DestinationType: DestinationType
  DestinationVendor: DestinationVendor
  SourceVendor: SourceVendor
  SourceVLAN: SourceVLAN
  SourceMAC: SourceMACAddress
  SourceType: SourceType
  SourceHostName: SourceHostName
  DestinationHostName: DestinationHostName
  Port: Port
  Protocol: Protocol
  DestinationMAC: DestinationMACAddress
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml
triggerOperator: gt
queryFrequency: 1h
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 1h
    enabled: true
    matchingMethod: AllEntities
    groupByCustomDetails: []
    groupByAlertDetails: []
    reopenClosedIncident: false
    groupByEntities: []
  createIncident: true
kind: Scheduled
suppressionEnabled: false
alertDetailsOverride:
  alertDescriptionFormat: |
        Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\n\nMessage: {{EventMessage}} \nSourceIP: {{SourceIP}} \nDestination IP (if any): {{DestinationIP}}
  alertDynamicProperties: []
  alertSeverityColumnName: EventSeverity
  alertDisplayNameFormat: Radiflow Platform Alert
status: Available
tactics:
- PrivilegeEscalation
- Execution
- CommandAndControl
- Exfiltration
- LateralMovement
- ImpairProcessControl
- InhibitResponseFunction
- InitialAccess
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques: 
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ff0c781a-b30f-4acf-9cf1-75d7383d66d1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ff0c781a-b30f-4acf-9cf1-75d7383d66d1')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\\n\\nMessage: {{EventMessage}} \\nSourceIP: {{SourceIP}} \\nDestination IP (if any): {{DestinationIP}}\n",
          "alertDisplayNameFormat": "Radiflow Platform Alert",
          "alertDynamicProperties": [],
          "alertSeverityColumnName": "EventSeverity"
        },
        "alertRuleTemplateName": "ff0c781a-b30f-4acf-9cf1-75d7383d66d1",
        "customDetails": {
          "DestinationHostName": "DestinationHostName",
          "DestinationIP": "DestinationIP",
          "DestinationMAC": "DestinationMACAddress",
          "DestinationType": "DestinationType",
          "DestinationVendor": "DestinationVendor",
          "Port": "Port",
          "Protocol": "Protocol",
          "SourceHostName": "SourceHostName",
          "SourceIP": "SourceIP",
          "SourceMAC": "SourceMACAddress",
          "SourceType": "SourceType",
          "SourceVendor": "SourceVendor",
          "SourceVLAN": "SourceVLAN"
        },
        "description": "Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules",
        "displayName": "Radiflow - Platform Alert",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "SourceHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DestinationHostName",
                "identifier": "NetBiosName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml",
        "query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Execution",
          "Exfiltration",
          "ImpairProcessControl",
          "InhibitResponseFunction",
          "InitialAccess",
          "LateralMovement",
          "PrivilegeEscalation"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}