Radiflow - Platform Alert
| Id | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 |
| Rulename | Radiflow - Platform Alert |
| Description | Generates an incident when an alert raised by Radiflow’s iSID is not contemplated by any of the other analytic rules |
| Severity | Medium |
| Tactics | PrivilegeEscalation Execution CommandAndControl Exfiltration LateralMovement ImpairProcessControl InhibitResponseFunction InitialAccess |
| Required data connectors | RadiflowIsid |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml |
| Version | 1.0.0 |
| Arm template | ff0c781a-b30f-4acf-9cf1-75d7383d66d1.json |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
tactics:
- PrivilegeEscalation
- Execution
- CommandAndControl
- Exfiltration
- LateralMovement
- ImpairProcessControl
- InhibitResponseFunction
- InitialAccess
relevantTechniques:
version: 1.0.0
triggerOperator: gt
name: Radiflow - Platform Alert
id: ff0c781a-b30f-4acf-9cf1-75d7383d66d1
description: Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 1h
groupByAlertDetails: []
enabled: true
reopenClosedIncident: false
groupByEntities: []
matchingMethod: AllEntities
groupByCustomDetails: []
createIncident: true
suppressionEnabled: false
suppressionDuration: 5h
queryFrequency: 1h
alertDetailsOverride:
alertDisplayNameFormat: Radiflow Platform Alert
alertSeverityColumnName: EventSeverity
alertDescriptionFormat: |
Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\n\nMessage: {{EventMessage}} \nSourceIP: {{SourceIP}} \nDestination IP (if any): {{DestinationIP}}
alertDynamicProperties: []
severity: Medium
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
query: |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml
queryPeriod: 1h
triggerThreshold: 0
customDetails:
SourceHostName: SourceHostName
DestinationIP: DestinationIP
SourceVLAN: SourceVLAN
DestinationMAC: DestinationMACAddress
SourceVendor: SourceVendor
SourceType: SourceType
Port: Port
SourceIP: SourceIP
SourceMAC: SourceMACAddress
DestinationType: DestinationType
DestinationVendor: DestinationVendor
Protocol: Protocol
DestinationHostName: DestinationHostName
kind: Scheduled
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: SourceHostName
- identifier: NetBiosName
columnName: SourceHostName
entityType: Host
- fieldMappings:
- identifier: HostName
columnName: DestinationHostName
- identifier: NetBiosName
columnName: DestinationHostName
entityType: Host
- fieldMappings:
- identifier: Address
columnName: SourceIP
entityType: IP
- fieldMappings:
- identifier: Address
columnName: DestinationIP
entityType: IP
requiredDataConnectors:
- dataTypes:
- RadiflowEvent
connectorId: RadiflowIsid