Radiflow - Platform Alert
| Id | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 |
| Rulename | Radiflow - Platform Alert |
| Description | Generates an incident when an alert raised by Radiflow’s iSID is not contemplated by any of the other analytic rules |
| Severity | Medium |
| Tactics | PrivilegeEscalation Execution CommandAndControl Exfiltration LateralMovement ImpairProcessControl InhibitResponseFunction InitialAccess |
| Required data connectors | RadiflowIsid |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml |
| Version | 1.0.0 |
| Arm template | ff0c781a-b30f-4acf-9cf1-75d7383d66d1.json |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
triggerThreshold: 0
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SourceHostName
- identifier: NetBiosName
columnName: SourceHostName
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DestinationHostName
- identifier: NetBiosName
columnName: DestinationHostName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DestinationIP
tactics:
- PrivilegeEscalation
- Execution
- CommandAndControl
- Exfiltration
- LateralMovement
- ImpairProcessControl
- InhibitResponseFunction
- InitialAccess
query: |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
triggerOperator: gt
suppressionDuration: 5h
id: ff0c781a-b30f-4acf-9cf1-75d7383d66d1
kind: Scheduled
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByCustomDetails: []
enabled: true
matchingMethod: AllEntities
lookbackDuration: 1h
groupByEntities: []
reopenClosedIncident: false
groupByAlertDetails: []
queryFrequency: 1h
version: 1.0.0
customDetails:
DestinationHostName: DestinationHostName
Protocol: Protocol
SourceVendor: SourceVendor
SourceVLAN: SourceVLAN
Port: Port
DestinationIP: DestinationIP
DestinationType: DestinationType
DestinationMAC: DestinationMACAddress
DestinationVendor: DestinationVendor
SourceIP: SourceIP
SourceType: SourceType
SourceHostName: SourceHostName
SourceMAC: SourceMACAddress
requiredDataConnectors:
- connectorId: RadiflowIsid
dataTypes:
- RadiflowEvent
alertDetailsOverride:
alertDisplayNameFormat: Radiflow Platform Alert
alertSeverityColumnName: EventSeverity
alertDescriptionFormat: |
Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\n\nMessage: {{EventMessage}} \nSourceIP: {{SourceIP}} \nDestination IP (if any): {{DestinationIP}}
alertDynamicProperties: []
description: Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules
status: Available
name: Radiflow - Platform Alert
severity: Medium
suppressionEnabled: false
queryPeriod: 1h