detection.wiki

Detection rules › Kusto

Digital Shadows Incident Creation for include-app

Severity
medium
Time window
6m
Group by
EventOriginalUid
Source
github.com/Azure/Azure-Sentinel

Digital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for included classifications

Rule body kusto

id: ede3071d-9317-45f9-b36c-6a6effee5294
name: Digital Shadows Incident Creation for include-app
description: 'Digital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for included classifications'
severity: Medium
requiredDataConnectors:
  - connectorId: DigitalShadows
    dataTypes: 
      - DigitalShadows_CL
queryFrequency: 5m
queryPeriod: 6m
triggerOperator: gt
triggerThreshold: 0
tactics: []
relevantTechniques: []
query: 
  let DSSearchLight_view  = view () {
  DigitalShadows_CL 
  | where app_s == "include" 
  | extend EventVendor="Digital Shadows", EventProduct="SearchLight",Type="DigitalShadows_CL",EventStartTime=raised_t,EventMessage=title_s,EventOriginalUid=triage_id_g,EventOriginalType=classification_s 
  | extend EventOriginalSeverity=iif(isempty(risk_level_s), risk_assessment_risk_level_s, risk_level_s) 
  | extend EventSeverity = case(EventOriginalSeverity == 'none', 'Informational', EventOriginalSeverity == 'very-low', 'Low',EventOriginalSeverity == 'low', 'Low',EventOriginalSeverity == 'medium', 'Medium',EventOriginalSeverity == 'high', 'High',EventOriginalSeverity == 'very-high', 'High','Informational') 
  | extend EventReportUrl = column_ifexists('gm_link_s', '')
  | extend AdditionalFields = pack("assets", assets_s, "comments", comments_s, "description", description_s, "incident_id", id_d, "alert_id", id_g, "short_code", portal_id_s, "impact", impact_description_s, "mitigation", mitigation_s, "risk_factors", risk_factors_s, "triage_status", status_s, "triage_id", triage_id_g, "triage_raised", triage_raised_time_t,"triage_updated", triage_updated_time_t, "updated", updated_t) 
  | project TimeGenerated, EventVendor,EventProduct, Type, EventStartTime,EventMessage, EventOriginalUid, EventOriginalType,EventOriginalSeverity, EventSeverity, EventReportUrl,AdditionalFields};DSSearchLight_view
  | summarize arg_max(TimeGenerated, *) by EventOriginalUid 
  | extend description = AdditionalFields.description
  | extend impact = AdditionalFields.impact
  | extend mitigation = AdditionalFields.mitigation
  | extend status = AdditionalFields.triage_status
  | extend comments = AdditionalFields.comments
entityMappings: 
  - entityType: URL
    fieldMappings:
      - identifier: Url
        columnName: EventReportUrl
enabled: true
suppressionDuration: 5h
suppressionEnabled: false
techniques: []
alertRuleTemplateName:
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: true
    lookbackDuration: 7d
    matchingMethod: Selected
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails:
    - triage_id
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: Digital Shadows - {{EventMessage}}
  alertDescriptionFormat: |-
    {{description}}

    {{impact}}

    {{mitigation}}
  alertTacticsColumnName:
  alertSeverityColumnName: EventSeverity
customDetails:
  triage_id: EventOriginalUid
  severity: EventOriginalSeverity
  description: description
  status: status
  impact: impact
  mitigation: mitigation
version: 1.0.3
kind: Scheduled

Stages and Predicates

Let binding: DSSearchLight_view

let DSSearchLight_view = view () { DigitalShadows_CL | where app_s == "include" | extend EventVendor="Digital Shadows", EventProduct="SearchLight",Type="DigitalShadows_CL",EventStartTime=raised_t,EventMessage=title_s,EventOriginalUid=triage_id_g,EventOriginalType=classification_s | extend EventOriginalSeverity=iif(isempty(risk_level_s), risk_assessment_risk_level_s, risk_level_s) | extend EventSeverity = case(EventOriginalSeverity == 'none', 'Informational', EventOriginalSeverity == 'very-low', 'Low',EventOriginalSeverity == 'low', 'Low',EventOriginalSeverity == 'medium', 'Medium',EventOriginalSeverity == 'high', 'High',EventOriginalSeverity == 'very-high', 'High','Informational') | extend EventReportUrl = column_ifexists('gm_link_s', '') | extend AdditionalFields = pack("assets", assets_s, "comments", comments_s, "description", description_s, "incident_id", id_d, "alert_id", id_g, "short_code", portal_id_s, "impact", impact_description_s, "mitigation", mitigation_s, "risk_factors", risk_factors_s, "triage_status", status_s, "triage_id", triage_id_g, "triage_raised", triage_raised_time_t,"triage_updated", triage_updated_time_t, "updated", updated_t) | project TimeGenerated, EventVendor,EventProduct, Type, EventStartTime,EventMessage, EventOriginalUid, EventOriginalType,EventOriginalSeverity, EventSeverity, EventReportUrl,AdditionalFields};

Stage 1: source

DigitalShadows_CL

Stage 2: where

where app_s =~ "include"

Stage 3: extend (5 consecutive steps)

extend EventMessage, EventOriginalType, EventOriginalUid, EventProduct, EventStartTime, EventVendor, Type

Stage 4: project

project AdditionalFields, EventMessage, EventOriginalSeverity, EventOriginalType, EventOriginalUid, EventProduct, EventReportUrl, EventSeverity, EventStartTime, EventVendor, TimeGenerated, Type

Stage 5: summarize

summarize by EventOriginalUid

Stage 6: extend (5 consecutive steps)

extend description

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
app_seq
  • include transforms: cased

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
EventOriginalUidsummarize
descriptionextend
impactextend
mitigationextend
statusextend
commentsextend