Radiflow - Platform Alert
| Id | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 |
| Rulename | Radiflow - Platform Alert |
| Description | Generates an incident when an alert raised by Radiflow’s iSID is not contemplated by any of the other analytic rules |
| Severity | Medium |
| Tactics | PrivilegeEscalation Execution CommandAndControl Exfiltration LateralMovement ImpairProcessControl InhibitResponseFunction InitialAccess |
| Required data connectors | RadiflowIsid |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml |
| Version | 1.0.0 |
| Arm template | ff0c781a-b30f-4acf-9cf1-75d7383d66d1.json |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SourceHostName
- identifier: NetBiosName
columnName: SourceHostName
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DestinationHostName
- identifier: NetBiosName
columnName: DestinationHostName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DestinationIP
tactics:
- PrivilegeEscalation
- Execution
- CommandAndControl
- Exfiltration
- LateralMovement
- ImpairProcessControl
- InhibitResponseFunction
- InitialAccess
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
- RadiflowEvent
connectorId: RadiflowIsid
alertDetailsOverride:
alertDisplayNameFormat: Radiflow Platform Alert
alertDescriptionFormat: |
Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\n\nMessage: {{EventMessage}} \nSourceIP: {{SourceIP}} \nDestination IP (if any): {{DestinationIP}}
alertSeverityColumnName: EventSeverity
alertDynamicProperties: []
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
groupByAlertDetails: []
lookbackDuration: 1h
groupByEntities: []
groupByCustomDetails: []
enabled: true
matchingMethod: AllEntities
createIncident: true
id: ff0c781a-b30f-4acf-9cf1-75d7383d66d1
severity: Medium
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
customDetails:
SourceVLAN: SourceVLAN
DestinationHostName: DestinationHostName
SourceMAC: SourceMACAddress
SourceVendor: SourceVendor
SourceIP: SourceIP
Protocol: Protocol
SourceType: SourceType
DestinationType: DestinationType
Port: Port
DestinationIP: DestinationIP
DestinationMAC: DestinationMACAddress
SourceHostName: SourceHostName
DestinationVendor: DestinationVendor
query: |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.0
name: Radiflow - Platform Alert
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
description: Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules
triggerOperator: gt