Detection rules › Kusto
Dragos Notifications
'Fires Microsoft Sentinel alerts for Dragos Notifcations.'
Rule body kusto
id: 9a74fe72-4c21-4ac5-80d9-37434e809721
name: Dragos Notifications
description: |
'Fires Microsoft Sentinel alerts for Dragos Notifcations.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: DragosSitestoreCCP
dataTypes:
- DragosAlerts_CL
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
queryFrequency: 10m
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics: []
relevantTechniques: []
query: |
DragosNotificationsToSentinel()
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
- entityType: SentinelEntities
fieldMappings:
- identifier: Entities
columnName: SentinelEntities
alertDetailsOverride:
alertDisplayNameFormat: 'Dragos: {{summary}}'
alertDescriptionFormat: '{{content}}'
alertSeverityColumnName: MSSentinelSeverity
alertTacticsColumnName: MitreTactics
alertDynamicProperties:
- alertProperty: Techniques
value: MitreTechniques
- alertProperty: ProductName
value: AlertProductName
customDetails:
DragosIdentifier: id
DragosSeverity: severity
DragosDetectionQuads: detectionQuads
DragosCreatedAt: createdAt
DragosFirstSeenAt: firstSeenAt
DragosLastSeenAt: lastSeenAt
DragosOccurredAt: occurredAt
DragosState: state
DragosSource: source
DragosThreatInfo: threatInfo
DragosIpAddresses: IpAddresses
DragosMacAddresses: MacAddresses
DragosConnectSrc: DragosConnectorSource
incidentConfiguration:
createIncident: true
# We handle de-duping via the raw queries, but still keep this
# as a fall back
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT1H
matchingMethod: Selected
groupByCustomDetails:
- DragosIdentifier
version: 1.0.1
kind: Scheduled
Stages and Predicates
Stage 1: source
DragosNotificationsToSentinel()