Microsoft Sentinel External Alerts

  1[metadata]
  2creation_date = "2025/07/31"
  3integration = ["microsoft_sentinel"]
  4maturity = "production"
  5promotion = true
  6min_stack_version = "8.18.0"
  7min_stack_comments = "Introduced support for Microsoft Sentinel alert promotion"
  8updated_date = "2025/08/04"
  9
 10[rule]
 11author = ["Elastic"]
 12description = """
 13Generates a detection alert for each Microsoft Sentinel alert written to the configured indices. Enabling this rule
 14allows you to immediately begin investigating Microsoft Sentinel alerts in the app.
 15"""
 16from = "now-2m"
 17index = ["logs-microsoft_sentinel.alert-*"]
 18interval = "1m"
 19language = "kuery"
 20license = "Elastic License v2"
 21max_signals = 1000
 22name = "Microsoft Sentinel External Alerts"
 23note = """ Triage and analysis
 24
 25## Investigating Microsoft Sentinel External Alerts
 26
 27Microsoft Sentinel is a cloud-native SIEM tool that aggregates security data for threat detection and response. The rule identifies each alert logged in Sentinel, enabling analysts to swiftly investigate potential threats.
 28
 29### Possible investigation steps
 30
 31- Examine the timeline of events leading up to the alert to identify any unusual or suspicious activities that may have occurred.
 32- Cross-reference the alert with other related alerts or logs in Microsoft Sentinel to determine if this is part of a larger pattern or isolated incident.
 33- Investigate the source and context of the alert to identify any patterns or anomalies that could indicate manipulation or false positives.
 34- Consult the Microsoft Sentinel investigation guide and resources tagged in the alert for specific guidance on handling similar threats.
 35
 36### False positive analysis
 37
 38- Alerts triggered by routine administrative tasks can be false positives. Identify these tasks and create exceptions to prevent unnecessary alerts.
 39- Frequent alerts from known safe IP addresses or domains may not indicate a threat. Whitelist these sources to reduce noise.
 40- Alerts generated by automated scripts or scheduled tasks that are part of regular operations can be excluded by setting up filters for these specific activities.
 41- Non-threatening alerts from internal network scans or vulnerability assessments should be reviewed and excluded if they are part of regular security practices.
 42- Alerts from test environments or sandboxed systems can be false positives. Exclude these environments from alert generation to focus on genuine threats.
 43
 44### Response and remediation
 45
 46- Contain the threat by isolating affected systems from the network to prevent further spread or data exfiltration.
 47- Review and terminate any suspicious processes or sessions identified in the alert to halt ongoing malicious activities.
 48- Conduct a thorough analysis of the alert details to identify any compromised accounts or credentials and reset passwords immediately.
 49- Apply relevant security patches or updates to affected systems to close any vulnerabilities exploited by the adversary.
 50- Restore affected systems from clean backups to ensure the integrity and security of the environment.
 51- Monitor network traffic and system logs closely for any signs of recurring or related suspicious activities.
 52- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional resources are needed.
 53"""
 54references = ["https://docs.elastic.co/en/integrations/microsoft_sentinel"]
 55risk_score = 47
 56rule_id = "74147312-ba03-4bea-91d1-040d54c1e8c3"
 57rule_name_override = "microsoft_sentinel.alert.properties.friendly_name"
 58setup = """## Setup
 59
 60### Microsoft Sentinel Alert Integration
 61This rule is designed to capture alert events generated by the Microsoft Sentinel integration and promote them as Elastic detection alerts.
 62
 63To capture Microsoft Sentinel alerts, install and configure the Microsoft Sentinel integration to ingest alert events into the `logs-microsoft_sentinel.alert-*` index pattern.
 64
 65If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Sentinel events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:microsoft_sentinel.alert to avoid receiving duplicate alerts.
 66
 67### Additional notes
 68
 69For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 70"""
 71severity = "medium"
 72tags = ["Data Source: Microsoft Sentinel", "Use Case: Threat Detection", "Resources: Investigation Guide", "Promotion: External Alerts"]
 73timestamp_override = "event.ingested"
 74type = "query"
 75
 76query = '''
 77event.kind: alert and data_stream.dataset: microsoft_sentinel.alert
 78'''
 79
 80[[rule.risk_score_mapping]]
 81field = "microsoft_sentinel.alert.properties.confidence_score"
 82operator = "equals"
 83value = ""
 84
 85[[rule.severity_mapping]]
 86field = "event.severity"
 87operator = "equals"
 88severity = "low"
 89value = "21"
 90
 91[[rule.severity_mapping]]
 92field = "event.severity"
 93operator = "equals"
 94severity = "medium"
 95value = "47"
 96
 97[[rule.severity_mapping]]
 98field = "event.severity"
 99operator = "equals"
100severity = "high"
101value = "73"
102
103[[rule.severity_mapping]]
104field = "event.severity"
105operator = "equals"
106severity = "critical"
107value = "99"