Radiflow - Platform Alert
Id | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 |
Rulename | Radiflow - Platform Alert |
Description | Generates an incident when an alert raised by Radiflow’s iSID is not contemplated by any of the other analytic rules |
Severity | Medium |
Tactics | PrivilegeEscalation Execution CommandAndControl Exfiltration LateralMovement ImpairProcessControl InhibitResponseFunction InitialAccess |
Required data connectors | RadiflowIsid |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml |
Version | 1.0.0 |
Arm template | ff0c781a-b30f-4acf-9cf1-75d7383d66d1.json |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml
suppressionEnabled: false
requiredDataConnectors:
- connectorId: RadiflowIsid
dataTypes:
- RadiflowEvent
severity: Medium
id: ff0c781a-b30f-4acf-9cf1-75d7383d66d1
customDetails:
SourceVLAN: SourceVLAN
DestinationIP: DestinationIP
SourceType: SourceType
SourceHostName: SourceHostName
Port: Port
SourceIP: SourceIP
DestinationHostName: DestinationHostName
SourceVendor: SourceVendor
Protocol: Protocol
DestinationMAC: DestinationMACAddress
SourceMAC: SourceMACAddress
DestinationType: DestinationType
DestinationVendor: DestinationVendor
name: Radiflow - Platform Alert
description: Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules
queryFrequency: 1h
triggerThreshold: 0
status: Available
triggerOperator: gt
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
lookbackDuration: 1h
enabled: true
groupByCustomDetails: []
groupByEntities: []
groupByAlertDetails: []
reopenClosedIncident: false
tactics:
- PrivilegeEscalation
- Execution
- CommandAndControl
- Exfiltration
- LateralMovement
- ImpairProcessControl
- InhibitResponseFunction
- InitialAccess
alertDetailsOverride:
alertSeverityColumnName: EventSeverity
alertDynamicProperties: []
alertDisplayNameFormat: Radiflow Platform Alert
alertDescriptionFormat: |
Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\n\nMessage: {{EventMessage}} \nSourceIP: {{SourceIP}} \nDestination IP (if any): {{DestinationIP}}
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.0
query: |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: SourceHostName
- identifier: NetBiosName
columnName: SourceHostName
entityType: Host
- fieldMappings:
- identifier: HostName
columnName: DestinationHostName
- identifier: NetBiosName
columnName: DestinationHostName
entityType: Host
- fieldMappings:
- identifier: Address
columnName: SourceIP
entityType: IP
- fieldMappings:
- identifier: Address
columnName: DestinationIP
entityType: IP
relevantTechniques:
suppressionDuration: 5h
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ff0c781a-b30f-4acf-9cf1-75d7383d66d1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ff0c781a-b30f-4acf-9cf1-75d7383d66d1')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\\n\\nMessage: {{EventMessage}} \\nSourceIP: {{SourceIP}} \\nDestination IP (if any): {{DestinationIP}}\n",
"alertDisplayNameFormat": "Radiflow Platform Alert",
"alertDynamicProperties": [],
"alertSeverityColumnName": "EventSeverity"
},
"alertRuleTemplateName": "ff0c781a-b30f-4acf-9cf1-75d7383d66d1",
"customDetails": {
"DestinationHostName": "DestinationHostName",
"DestinationIP": "DestinationIP",
"DestinationMAC": "DestinationMACAddress",
"DestinationType": "DestinationType",
"DestinationVendor": "DestinationVendor",
"Port": "Port",
"Protocol": "Protocol",
"SourceHostName": "SourceHostName",
"SourceIP": "SourceIP",
"SourceMAC": "SourceMACAddress",
"SourceType": "SourceType",
"SourceVendor": "SourceVendor",
"SourceVLAN": "SourceVLAN"
},
"description": "Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules",
"displayName": "Radiflow - Platform Alert",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SourceHostName",
"identifier": "HostName"
},
{
"columnName": "SourceHostName",
"identifier": "NetBiosName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DestinationHostName",
"identifier": "HostName"
},
{
"columnName": "DestinationHostName",
"identifier": "NetBiosName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DestinationIP",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml",
"query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"Execution",
"Exfiltration",
"ImpairProcessControl",
"InhibitResponseFunction",
"InitialAccess",
"LateralMovement",
"PrivilegeEscalation"
],
"techniques": null,
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}