Link Search Menu Expand Document

ExtrahopAnomalyAlert

ID: 100011

Description:

Reveal Anomaly Alert

Repository: Group: ThreatAnalysis Type: event

Default Status:

Disabled

Tags:
Extrahop
 

Selector:

Query:

Filters:

Field MUST hit
@parser ExtrahopAlertGenerator
@fields.alert_name Anomaly Detected
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@fields.object_name asset network access

Risks:

Risks Base Score Dimension
ALERT_NORMAL 100 alert

Attributes:

Alias Key
IP @fields.ipaddr
Hostname @fields.object_name
MacAddress @fields.macaddr
Severity @fields.alert_severity
Expression @fields.alert_expression
Comment @fields.alert_comment

Correlation Rules:

First Occurrence:

Name Window Fields
NewIP 10 days @fields.ipaddr
NewAsset 10 days @fields.object_name

History:

| User | Date | | :— | :— | | — | — |

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)