detection.wiki

Detection rules › Kusto

External Fabric Module XFM1 is unhealthy

Severity
high
Source
github.com/Azure/Azure-Sentinel

External Fabric Module XFM1 is unhealthy

MITRE ATT&CK coverage

TacticTechniques
ExecutionT0871 Execution through API

Rule body kusto

id: a8130dcc-3617-41c0-a7ac-5f352bcfffaf
name: External Fabric Module XFM1 is unhealthy
version: 1.0.0
kind: NRT
description: External Fabric Module XFM1 is unhealthy
severity: High
tactics:
- Execution
relevantTechniques:
- T0871
query: |2-
  Syslog
  | where SyslogMessage has "purity.alert"
  | extend Message = replace_string(SyslogMessage, "#012", "\n")
  | extend UTCTime = extract(@"UTC Time:\s*(\d{4}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2})\sUTC", 1, SyslogMessage)
  | extend PureAlertID = extract(@"Alert ID: ([\w-]+)", 1, SyslogMessage)
  | extend PureMessage = extract(@"\(Alert ID: [\w-]+\)\s(.*?)\s\[\d+\]", 1, SyslogMessage)
  | extend PureSeverity = extract(@"\s(\w+)\s", 1, SyslogMessage)
  | extend PureAlertState = extract(@"purity\.alert:\s\w+\s(\w+)", 1, SyslogMessage)
  | extend PureObjectName = extract(@"\s(\S+):", 1, SyslogMessage)
  | extend PureProcessID = extract(@"\[(\d+)\]", 1, SyslogMessage)
  | extend PureAction = extract(@"Suggested Action:\s*(.*?)(?:\s*Knowledge Base Article:|$)", 1, SyslogMessage)
  | extend PureUrl = extract(@"Knowledge Base Article:\s*(.*)", 1, SyslogMessage)
  | project  PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl
  | where PureMessage matches regex @"(External Fabric Module XFM1 is unhealthy)"
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: HostIP
suppressionEnabled: false
suppressionDuration: 5h
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails: []
eventGroupingSettings:
  aggregationKind: SingleAlert

Stages and Predicates

Stage 1: source

Syslog

Stage 2: where

| where SyslogMessage has "purity.alert"

Stage 3: extend (10 consecutive steps)

| extend Message = replace_string(SyslogMessage, "#012", "\n")
| extend UTCTime = extract(@"UTC Time:\s*(\d{4}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2})\sUTC", 1, SyslogMessage)
| extend PureAlertID = extract(@"Alert ID: ([\w-]+)", 1, SyslogMessage)
| extend PureMessage = extract(@"\(Alert ID: [\w-]+\)\s(.*?)\s\[\d+\]", 1, SyslogMessage)
| extend PureSeverity = extract(@"\s(\w+)\s", 1, SyslogMessage)
| extend PureAlertState = extract(@"purity\.alert:\s\w+\s(\w+)", 1, SyslogMessage)
| extend PureObjectName = extract(@"\s(\S+):", 1, SyslogMessage)
| extend PureProcessID = extract(@"\[(\d+)\]", 1, SyslogMessage)
| extend PureAction = extract(@"Suggested Action:\s*(.*?)(?:\s*Knowledge Base Article:|$)", 1, SyslogMessage)
| extend PureUrl = extract(@"Knowledge Base Article:\s*(.*)", 1, SyslogMessage)

Stage 4: project

| project  PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl

Stage 5: where

| where PureMessage matches regex @"(External Fabric Module XFM1 is unhealthy)"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
PureMessageregex_match
  • (External Fabric Module XFM1 is unhealthy)
SyslogMessagematch
  • purity.alert transforms: term

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
Computerproject
HostIPproject
PureActionproject
PureAlertIDproject
PureAlertStateproject
PureMessageproject
PureObjectNameproject
PureProcessIDproject
PureSeverityproject
PureUrlproject
TimeGeneratedproject