TheomAlerts_CL
| where customProps_RuleId_s == "TRIS0032" and (priority_s == "P1" or priority_s == "P2")
triggerOperator: gt
queryFrequency: 5m
description: |
"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0032 (Theom has observed shadow (or clone) databases/tables that have a large financial value. Additionally, it has observed roles that are overprovisioned for these data stores. As per this requirement, use this information to apply data access control lists or access permissions and enforce data retention policies)"
status: Available
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- connectorId: Theom
dataTypes:
- TheomAlerts_CL
version: 1.0.1
eventGroupingSettings:
aggregationKind: AlertPerResult
queryPeriod: 5m
name: Theom - Least priv large value shadow DB
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0033_Least_priv_large_value_shadow_DB.yaml
id: 67b9ff50-5393-49d5-b66f-05b33e2f35d2
alertDetailsOverride:
alertDescriptionFormat: |2
Summary: {{summary_s}}
Additional info: {{details_s}}
Please investigate further on Theom UI at {{deepLink_s}}
alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
severity: High
entityMappings:
- fieldMappings:
- identifier: Name
columnName: customProps_AssetName_s
entityType: CloudApplication
- fieldMappings:
- identifier: Url
columnName: deepLink_s
entityType: URL
query: |
TheomAlerts_CL
| where customProps_RuleId_s == "TRIS0032" and (priority_s == "P1" or priority_s == "P2")
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/67b9ff50-5393-49d5-b66f-05b33e2f35d2')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/67b9ff50-5393-49d5-b66f-05b33e2f35d2')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "\nSummary: {{summary_s}} \nAdditional info: {{details_s}}\nPlease investigate further on Theom UI at {{deepLink_s}}\n",
"alertDisplayNameFormat": "Theom Alert ID: {{id_s}} "
},
"alertRuleTemplateName": "67b9ff50-5393-49d5-b66f-05b33e2f35d2",
"customDetails": null,
"description": "\"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0032 (Theom has observed shadow (or clone) databases/tables that have a large financial value. Additionally, it has observed roles that are overprovisioned for these data stores. As per this requirement, use this information to apply data access control lists or access permissions and enforce data retention policies)\"\n",
"displayName": "Theom - Least priv large value shadow DB",
"enabled": true,
"entityMappings": [
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "customProps_AssetName_s",
"identifier": "Name"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "deepLink_s",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0033_Least_priv_large_value_shadow_DB.yaml",
"query": "TheomAlerts_CL\n | where customProps_RuleId_s == \"TRIS0032\" and (priority_s == \"P1\" or priority_s == \"P2\")\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}