ExtrahopAnomalyAlert
ID: 100011
Description:
Reveal Anomaly Alert
Repository: Group: ThreatAnalysis Type: event
Default Status:
Disabled
| Tags: |
|---|
| Extrahop |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @parser | ExtrahopAlertGenerator |
| @fields.alert_name | Anomaly Detected |
| Field | MUST NOT hit |
|---|---|
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @fields.object_name | asset | network access |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
| ALERT_NORMAL | 100 | alert |
Attributes:
| Alias | Key |
|---|---|
| IP | @fields.ipaddr |
| Hostname | @fields.object_name |
| MacAddress | @fields.macaddr |
| Severity | @fields.alert_severity |
| Expression | @fields.alert_expression |
| Comment | @fields.alert_comment |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| NewIP | 10 days | @fields.ipaddr |
| NewAsset | 10 days | @fields.object_name |
History:
| User | Date | | :— | :— | | — | — |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)