Radiflow - Platform Alert
| Id | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 |
| Rulename | Radiflow - Platform Alert |
| Description | Generates an incident when an alert raised by Radiflow’s iSID is not contemplated by any of the other analytic rules |
| Severity | Medium |
| Tactics | PrivilegeEscalation Execution CommandAndControl Exfiltration LateralMovement ImpairProcessControl InhibitResponseFunction InitialAccess |
| Required data connectors | RadiflowIsid |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml |
| Version | 1.0.0 |
| Arm template | ff0c781a-b30f-4acf-9cf1-75d7383d66d1.json |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
suppressionEnabled: false
suppressionDuration: 5h
queryPeriod: 1h
alertDetailsOverride:
alertSeverityColumnName: EventSeverity
alertDynamicProperties: []
alertDescriptionFormat: |
Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\n\nMessage: {{EventMessage}} \nSourceIP: {{SourceIP}} \nDestination IP (if any): {{DestinationIP}}
alertDisplayNameFormat: Radiflow Platform Alert
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: SourceHostName
- identifier: NetBiosName
columnName: SourceHostName
entityType: Host
- fieldMappings:
- identifier: HostName
columnName: DestinationHostName
- identifier: NetBiosName
columnName: DestinationHostName
entityType: Host
- fieldMappings:
- identifier: Address
columnName: SourceIP
entityType: IP
- fieldMappings:
- identifier: Address
columnName: DestinationIP
entityType: IP
customDetails:
SourceMAC: SourceMACAddress
SourceVendor: SourceVendor
DestinationVendor: DestinationVendor
Port: Port
DestinationHostName: DestinationHostName
SourceHostName: SourceHostName
Protocol: Protocol
SourceIP: SourceIP
DestinationIP: DestinationIP
SourceVLAN: SourceVLAN
DestinationMAC: DestinationMACAddress
SourceType: SourceType
DestinationType: DestinationType
tactics:
- PrivilegeEscalation
- Execution
- CommandAndControl
- Exfiltration
- LateralMovement
- ImpairProcessControl
- InhibitResponseFunction
- InitialAccess
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml
triggerOperator: gt
triggerThreshold: 0
query: |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
queryFrequency: 1h
requiredDataConnectors:
- dataTypes:
- RadiflowEvent
connectorId: RadiflowIsid
description: Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules
id: ff0c781a-b30f-4acf-9cf1-75d7383d66d1
incidentConfiguration:
groupingConfiguration:
groupByAlertDetails: []
matchingMethod: AllEntities
groupByCustomDetails: []
reopenClosedIncident: false
groupByEntities: []
enabled: true
lookbackDuration: 1h
createIncident: true
kind: Scheduled
status: Available
version: 1.0.0
name: Radiflow - Platform Alert
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ff0c781a-b30f-4acf-9cf1-75d7383d66d1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ff0c781a-b30f-4acf-9cf1-75d7383d66d1')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\\n\\nMessage: {{EventMessage}} \\nSourceIP: {{SourceIP}} \\nDestination IP (if any): {{DestinationIP}}\n",
"alertDisplayNameFormat": "Radiflow Platform Alert",
"alertDynamicProperties": [],
"alertSeverityColumnName": "EventSeverity"
},
"alertRuleTemplateName": "ff0c781a-b30f-4acf-9cf1-75d7383d66d1",
"customDetails": {
"DestinationHostName": "DestinationHostName",
"DestinationIP": "DestinationIP",
"DestinationMAC": "DestinationMACAddress",
"DestinationType": "DestinationType",
"DestinationVendor": "DestinationVendor",
"Port": "Port",
"Protocol": "Protocol",
"SourceHostName": "SourceHostName",
"SourceIP": "SourceIP",
"SourceMAC": "SourceMACAddress",
"SourceType": "SourceType",
"SourceVendor": "SourceVendor",
"SourceVLAN": "SourceVLAN"
},
"description": "Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules",
"displayName": "Radiflow - Platform Alert",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SourceHostName",
"identifier": "HostName"
},
{
"columnName": "SourceHostName",
"identifier": "NetBiosName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DestinationHostName",
"identifier": "HostName"
},
{
"columnName": "DestinationHostName",
"identifier": "NetBiosName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DestinationIP",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml",
"query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"Execution",
"Exfiltration",
"ImpairProcessControl",
"InhibitResponseFunction",
"InitialAccess",
"LateralMovement",
"PrivilegeEscalation"
],
"techniques": null,
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}