hi Javier-Soriano
{
"Scheduled": [
{
"displayName": "AlertRule01",
"description": "",
"severity": "Medium",
"enabled": true,
"query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"",
"queryFrequency": "5H",
"queryPeriod": "6H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 5,
"suppressionDuration": "6H",
"suppressionEnabled": false,
"tactics": [
"Persistence",
"LateralMovement",
"Collection"
],
"playbookName": "",
"aggregationKind": "SingleAlert",
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"entitiesMatchingMethod": "All",
"groupByEntities": [
"Account",
"Ip",
"Host",
"Url"
]
}
},
{
"displayName": "AlertRule02",
"description": "",
"severity": "Medium",
"enabled": true,
"query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"",
"queryFrequency": "5H",
"queryPeriod": "6H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 5,
"suppressionDuration": "6H",
"suppressionEnabled": false,
"tactics": [
"Persistence",
"LateralMovement",
"Collection"
],
"playbookName": ""
}
],
"Fusion": [
{
"displayName": "Advanced Multistage Attack Detection",
"enabled": true,
"alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8"
}
],
"MLBehaviorAnalytics": [
{
"displayName": "(Preview) Anomalous SSH Login Detection",
"enabled": true,
"alertRuleTemplateName": "fa118b98-de46-4e94-87f9-8e6d5060b60b"
}
],
"MicrosoftSecurityIncidentCreation": [
{
"displayName": "Create incidents based on Azure Active Directory Identity Protection alerts",
"description": "Create incidents based on all alerts generated in Azure Active Directory Identity Protection",
"enabled": true,
"productFilter": "Microsoft Cloud App Security",
"severitiesFilter": [
"High",
"Medium",
"Low"
],
"displayNamesFilter": null
}
]
}
Microsoft