What Changed
New Microsoft Sentinel solution for Field Effect MDR, providing native integration for ARO (Automated Response Operations) alerts. The solution includes a complete ingestion and detection pipeline.
Data Source
Field Effect MDR is a cloud-based managed detection and response platform that monitors endpoints and networks. This integration ingests ARO alerts - automated threat detection events generated by Field Effect’’s security operations center.
Ingestion Mechanism
CCF-based connector using JSON polling configuration against Field Effect’’s ARO API. Data flows through a DCR to populate the custom table FieldEffectAROAlerts_CL with normalized alert metadata including severity, host details, and portal URLs.
Detection Surface Unlocked
ARO alerts provide pre-analyzed threat detections with host context (hostname, IP address, last user). The bundled analytic rule creates incidents for each ARO alert, preserving severity levels and linking back to the Field Effect portal for full investigation details.
MITRE Coverage
Execution (T1059) and Defense Evasion (T1562) techniques mapped in the detection rule, reflecting common attack vectors identified by Field Effect’’s threat analysis.
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/FieldEffectAROAlerts_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Logos/FieldEffect_Logo.svg
Solutions/FieldEffectMDR/Analytic Rules/AROAlert.yaml
Solutions/FieldEffectMDR/Data Connectors/FieldEffect_ConnectorDefinition.json
Solutions/FieldEffectMDR/Data Connectors/FieldEffect_DCR.json
Solutions/FieldEffectMDR/Data Connectors/FieldEffect_PollerConfig.json
Solutions/FieldEffectMDR/Data Connectors/FieldEffect_Table.json
Solutions/FieldEffectMDR/Package/testParameters.json
Solutions/FieldEffectMDR/Parsers/FieldEffect.yaml
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_FieldEffect.json, createUiDefinition.json, mainTemplate.json)