Radiflow - Platform Alert
| Id | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 |
| Rulename | Radiflow - Platform Alert |
| Description | Generates an incident when an alert raised by Radiflow’s iSID is not contemplated by any of the other analytic rules |
| Severity | Medium |
| Tactics | PrivilegeEscalation Execution CommandAndControl Exfiltration LateralMovement ImpairProcessControl InhibitResponseFunction InitialAccess |
| Required data connectors | RadiflowIsid |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml |
| Version | 1.0.0 |
| Arm template | ff0c781a-b30f-4acf-9cf1-75d7383d66d1.json |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
id: ff0c781a-b30f-4acf-9cf1-75d7383d66d1
suppressionDuration: 5h
triggerOperator: gt
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: SourceHostName
- identifier: NetBiosName
columnName: SourceHostName
entityType: Host
- fieldMappings:
- identifier: HostName
columnName: DestinationHostName
- identifier: NetBiosName
columnName: DestinationHostName
entityType: Host
- fieldMappings:
- identifier: Address
columnName: SourceIP
entityType: IP
- fieldMappings:
- identifier: Address
columnName: DestinationIP
entityType: IP
eventGroupingSettings:
aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
- RadiflowEvent
connectorId: RadiflowIsid
queryFrequency: 1h
alertDetailsOverride:
alertDynamicProperties: []
alertDisplayNameFormat: Radiflow Platform Alert
alertSeverityColumnName: EventSeverity
alertDescriptionFormat: |
Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\n\nMessage: {{EventMessage}} \nSourceIP: {{SourceIP}} \nDestination IP (if any): {{DestinationIP}}
suppressionEnabled: false
queryPeriod: 1h
status: Available
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 1h
groupByAlertDetails: []
reopenClosedIncident: false
matchingMethod: AllEntities
groupByCustomDetails: []
groupByEntities: []
enabled: true
createIncident: true
query: |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
name: Radiflow - Platform Alert
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml
tactics:
- PrivilegeEscalation
- Execution
- CommandAndControl
- Exfiltration
- LateralMovement
- ImpairProcessControl
- InhibitResponseFunction
- InitialAccess
severity: Medium
relevantTechniques:
triggerThreshold: 0
version: 1.0.0
description: Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules
customDetails:
Port: Port
SourceMAC: SourceMACAddress
SourceIP: SourceIP
SourceHostName: SourceHostName
SourceVendor: SourceVendor
DestinationIP: DestinationIP
DestinationVendor: DestinationVendor
Protocol: Protocol
SourceVLAN: SourceVLAN
DestinationType: DestinationType
DestinationHostName: DestinationHostName
DestinationMAC: DestinationMACAddress
SourceType: SourceType