Pure Controller Failed
| Id | c317b007-84e7-4449-93f4-4444f6638fd0 |
| Rulename | Pure Controller Failed |
| Description | Detect controller failure and take appropriate response action. |
| Severity | High |
| Tactics | Execution |
| Techniques | T0871 |
| Kind | NRT |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pure Storage/Analytic Rules/PureControllerFailed.yaml |
| Version | 1.0.0 |
| Arm template | c317b007-84e7-4449-93f4-4444f6638fd0.json |
Syslog
| where SyslogMessage has "purity.alert"
| extend Message = replace_regex(SyslogMessage, "#012", "\n")
| extend ParsedLog = extract_all(@"((?P<process>.*?)\[(?P<processid>.*?)\]:\s(?P<object>.*)\[(?P<responsecode>\w+)\][\s\S]*Severity:\s*(?P<severity>\S+)\s*(Tag:\s*(?P<reason>\S+))?\s*UTC([\s\S]*)Array Name:\s*(?P<objectname>\S+)\s*Domain:\s*(?P<domainorigin>\S+)\s*(?P<part2log>[\s\S]*))", dynamic(['process','processid','object','objectname','responsecode','severity','reason','domainorigin','part2log']), Message)
| mv-expand ParsedLog
| extend ResidueLog = tostring(ParsedLog[8])
| extend Rlog = extract_all(@"(((Suggested Action:\s*(?P<action>[\s\S]*)\s*Knowledge Base Article:\s*(?P<url>.*))|(Knowledge Base Article:\s*(?P<url>.*)\s*Suggested Action:\s*(?P<action>.*)\s*)|(Suggested Action:\s*(?P<action>[\s\S]*)))(([\s\S]*)Purity Version:\s*(?P<pversion>.*))?\s*([\s\S]*)Variables: \(below\)\s*(?P<subject>[\s\S]*))", dynamic(['action','url','pversion','subject']),ResidueLog)
| mv-expand Rlog
| extend PureLogType = ParsedLog[0], PureProcessID = ParsedLog[1], PureObject = ParsedLog[2], PureCode = ParsedLog[4], PureSeverity = ParsedLog[5], PureReason = ParsedLog[6], PureObjectName = ParsedLog[3], PureDomainOrigin = ParsedLog[7], PureAction = Rlog[0], PureUrl = Rlog[1], PureVersion = Rlog[2], PureMessage = Rlog[3]
| project-away ResidueLog, Rlog, ParsedLog
| where PureObject matches regex @"(Controllers ct[0-9] have failed)"
severity: High
relevantTechniques:
- T0871
kind: NRT
version: 1.0.0
description: Detect controller failure and take appropriate response action.
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: PT5H
groupByEntities: []
reopenClosedIncident: false
enabled: false
matchingMethod: AllEntities
groupByAlertDetails: []
groupByCustomDetails: []
id: c317b007-84e7-4449-93f4-4444f6638fd0
suppressionEnabled: false
alertDetailsOverride:
alertDynamicProperties: []
tactics:
- Execution
name: Pure Controller Failed
suppressionDuration: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pure Storage/Analytic Rules/PureControllerFailed.yaml
eventGroupingSettings:
aggregationKind: SingleAlert
query: |-
Syslog
| where SyslogMessage has "purity.alert"
| extend Message = replace_regex(SyslogMessage, "#012", "\n")
| extend ParsedLog = extract_all(@"((?P<process>.*?)\[(?P<processid>.*?)\]:\s(?P<object>.*)\[(?P<responsecode>\w+)\][\s\S]*Severity:\s*(?P<severity>\S+)\s*(Tag:\s*(?P<reason>\S+))?\s*UTC([\s\S]*)Array Name:\s*(?P<objectname>\S+)\s*Domain:\s*(?P<domainorigin>\S+)\s*(?P<part2log>[\s\S]*))", dynamic(['process','processid','object','objectname','responsecode','severity','reason','domainorigin','part2log']), Message)
| mv-expand ParsedLog
| extend ResidueLog = tostring(ParsedLog[8])
| extend Rlog = extract_all(@"(((Suggested Action:\s*(?P<action>[\s\S]*)\s*Knowledge Base Article:\s*(?P<url>.*))|(Knowledge Base Article:\s*(?P<url>.*)\s*Suggested Action:\s*(?P<action>.*)\s*)|(Suggested Action:\s*(?P<action>[\s\S]*)))(([\s\S]*)Purity Version:\s*(?P<pversion>.*))?\s*([\s\S]*)Variables: \(below\)\s*(?P<subject>[\s\S]*))", dynamic(['action','url','pversion','subject']),ResidueLog)
| mv-expand Rlog
| extend PureLogType = ParsedLog[0], PureProcessID = ParsedLog[1], PureObject = ParsedLog[2], PureCode = ParsedLog[4], PureSeverity = ParsedLog[5], PureReason = ParsedLog[6], PureObjectName = ParsedLog[3], PureDomainOrigin = ParsedLog[7], PureAction = Rlog[0], PureUrl = Rlog[1], PureVersion = Rlog[2], PureMessage = Rlog[3]
| project-away ResidueLog, Rlog, ParsedLog
| where PureObject matches regex @"(Controllers ct[0-9] have failed)"
entityMappings:
- entityType: IP
fieldMappings:
- columnName: HostIP
identifier: Address
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c317b007-84e7-4449-93f4-4444f6638fd0')]",
"kind": "NRT",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c317b007-84e7-4449-93f4-4444f6638fd0')]",
"properties": {
"alertDetailsOverride": {
"alertDynamicProperties": []
},
"alertRuleTemplateName": "c317b007-84e7-4449-93f4-4444f6638fd0",
"customDetails": null,
"description": "Detect controller failure and take appropriate response action.",
"displayName": "Pure Controller Failed",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "HostIP",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pure Storage/Analytic Rules/PureControllerFailed.yaml",
"query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_regex(SyslogMessage, \"#012\", \"\\n\")\n| extend ParsedLog = extract_all(@\"((?P<process>.*?)\\[(?P<processid>.*?)\\]:\\s(?P<object>.*)\\[(?P<responsecode>\\w+)\\][\\s\\S]*Severity:\\s*(?P<severity>\\S+)\\s*(Tag:\\s*(?P<reason>\\S+))?\\s*UTC([\\s\\S]*)Array Name:\\s*(?P<objectname>\\S+)\\s*Domain:\\s*(?P<domainorigin>\\S+)\\s*(?P<part2log>[\\s\\S]*))\", dynamic(['process','processid','object','objectname','responsecode','severity','reason','domainorigin','part2log']), Message)\n| mv-expand ParsedLog\n| extend ResidueLog = tostring(ParsedLog[8])\n| extend Rlog = extract_all(@\"(((Suggested Action:\\s*(?P<action>[\\s\\S]*)\\s*Knowledge Base Article:\\s*(?P<url>.*))|(Knowledge Base Article:\\s*(?P<url>.*)\\s*Suggested Action:\\s*(?P<action>.*)\\s*)|(Suggested Action:\\s*(?P<action>[\\s\\S]*)))(([\\s\\S]*)Purity Version:\\s*(?P<pversion>.*))?\\s*([\\s\\S]*)Variables: \\(below\\)\\s*(?P<subject>[\\s\\S]*))\", dynamic(['action','url','pversion','subject']),ResidueLog)\n| mv-expand Rlog\n| extend PureLogType = ParsedLog[0], PureProcessID = ParsedLog[1], PureObject = ParsedLog[2], PureCode = ParsedLog[4], PureSeverity = ParsedLog[5], PureReason = ParsedLog[6], PureObjectName = ParsedLog[3], PureDomainOrigin = ParsedLog[7], PureAction = Rlog[0], PureUrl = Rlog[1], PureVersion = Rlog[2], PureMessage = Rlog[3]\n| project-away ResidueLog, Rlog, ParsedLog\n| where PureObject matches regex @\"(Controllers ct[0-9] have failed)\"",
"severity": "High",
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Execution"
],
"techniques": null,
"templateVersion": "1.0.0"
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}