Radiflow - Platform Alert
Id | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 |
Rulename | Radiflow - Platform Alert |
Description | Generates an incident when an alert raised by Radiflow’s iSID is not contemplated by any of the other analytic rules |
Severity | Medium |
Tactics | PrivilegeEscalation Execution CommandAndControl Exfiltration LateralMovement ImpairProcessControl InhibitResponseFunction InitialAccess |
Required data connectors | RadiflowIsid |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml |
Version | 1.0.0 |
Arm template | ff0c781a-b30f-4acf-9cf1-75d7383d66d1.json |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
id: ff0c781a-b30f-4acf-9cf1-75d7383d66d1
queryFrequency: 1h
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
enabled: true
lookbackDuration: 1h
groupByEntities: []
matchingMethod: AllEntities
groupByAlertDetails: []
groupByCustomDetails: []
createIncident: true
version: 1.0.0
suppressionEnabled: false
alertDetailsOverride:
alertSeverityColumnName: EventSeverity
alertDynamicProperties: []
alertDisplayNameFormat: Radiflow Platform Alert
alertDescriptionFormat: |
Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\n\nMessage: {{EventMessage}} \nSourceIP: {{SourceIP}} \nDestination IP (if any): {{DestinationIP}}
requiredDataConnectors:
- dataTypes:
- RadiflowEvent
connectorId: RadiflowIsid
query: |
RadiflowEvent
| where DeviceProduct =~ 'iSID'
| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)
name: Radiflow - Platform Alert
customDetails:
SourceVLAN: SourceVLAN
Protocol: Protocol
SourceType: SourceType
SourceHostName: SourceHostName
DestinationMAC: DestinationMACAddress
SourceVendor: SourceVendor
SourceIP: SourceIP
DestinationHostName: DestinationHostName
Port: Port
DestinationType: DestinationType
SourceMAC: SourceMACAddress
DestinationIP: DestinationIP
DestinationVendor: DestinationVendor
status: Available
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
description: Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml
severity: Medium
triggerOperator: gt
entityMappings:
- entityType: Host
fieldMappings:
- columnName: SourceHostName
identifier: HostName
- columnName: SourceHostName
identifier: NetBiosName
- entityType: Host
fieldMappings:
- columnName: DestinationHostName
identifier: HostName
- columnName: DestinationHostName
identifier: NetBiosName
- entityType: IP
fieldMappings:
- columnName: SourceIP
identifier: Address
- entityType: IP
fieldMappings:
- columnName: DestinationIP
identifier: Address
triggerThreshold: 0
queryPeriod: 1h
tactics:
- PrivilegeEscalation
- Execution
- CommandAndControl
- Exfiltration
- LateralMovement
- ImpairProcessControl
- InhibitResponseFunction
- InitialAccess
suppressionDuration: 5h
relevantTechniques:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ff0c781a-b30f-4acf-9cf1-75d7383d66d1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ff0c781a-b30f-4acf-9cf1-75d7383d66d1')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Suspicious activity has been detected by Radiflow's iSID. Please check the following details for more information.\\n\\nMessage: {{EventMessage}} \\nSourceIP: {{SourceIP}} \\nDestination IP (if any): {{DestinationIP}}\n",
"alertDisplayNameFormat": "Radiflow Platform Alert",
"alertDynamicProperties": [],
"alertSeverityColumnName": "EventSeverity"
},
"alertRuleTemplateName": "ff0c781a-b30f-4acf-9cf1-75d7383d66d1",
"customDetails": {
"DestinationHostName": "DestinationHostName",
"DestinationIP": "DestinationIP",
"DestinationMAC": "DestinationMACAddress",
"DestinationType": "DestinationType",
"DestinationVendor": "DestinationVendor",
"Port": "Port",
"Protocol": "Protocol",
"SourceHostName": "SourceHostName",
"SourceIP": "SourceIP",
"SourceMAC": "SourceMACAddress",
"SourceType": "SourceType",
"SourceVendor": "SourceVendor",
"SourceVLAN": "SourceVLAN"
},
"description": "Generates an incident when an alert raised by Radiflow's iSID is not contemplated by any of the other analytic rules",
"displayName": "Radiflow - Platform Alert",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SourceHostName",
"identifier": "HostName"
},
{
"columnName": "SourceHostName",
"identifier": "NetBiosName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DestinationHostName",
"identifier": "HostName"
},
{
"columnName": "DestinationHostName",
"identifier": "NetBiosName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DestinationIP",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Radiflow/Analytic Rules/RadiflowPlatformAlert.yaml",
"query": "RadiflowEvent\n| where DeviceProduct =~ 'iSID'\n| where EventClassID !in ('User Activity', 100, 200, 300, 15500, 500, 15600, 16100, 16900, 17100, 18200, 18300, 18400, 18500, 5200, 10500, 15000, 15100, 15200, 15300, 15800, 16600, 17500, 11400, 11500, 11600, 11700, 11800, 11900, 16200, 5500, 14700, 19300, 19400, 2200, 2300, 2400, 2500, 2600, 2700, 14500, 3400, 5300, 6700, 6800, 6900, 7000, 7100, 17900, 5700, 5800, 5800, 6000, 17600, 17800, 18100)\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"Execution",
"Exfiltration",
"ImpairProcessControl",
"InhibitResponseFunction",
"InitialAccess",
"LateralMovement",
"PrivilegeEscalation"
],
"techniques": null,
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}