Digital Guardian - Incident with not blocked action

Back


Id	07bca129-e7d6-4421-b489-32abade0b6a7
Rulename	Digital Guardian - Incident with not blocked action
Description	Detects when incident has not block action.
Severity	High
Tactics	Exfiltration
Techniques	T1048
Required data connectors	DigitalGuardianDLP
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianViolationNotBlocked.yaml
Version	1.0.0
Arm template	07bca129-e7d6-4421-b489-32abade0b6a7.json

KQL

DigitalGuardianDLPEvent
| where isnotempty(IncidentStatus)
| extend inc_act = split(IncidentStatus, ',')
| where inc_act has 'New'
| where inc_act !contains 'Block'
| extend AccountCustomEntity = SrcUserName

YAML

version: 1.0.0
name: Digital Guardian - Incident with not blocked action
severity: High
queryFrequency: 1h
kind: Scheduled
queryPeriod: 1h
description: |
    'Detects when incident has not block action.'
query: |
  DigitalGuardianDLPEvent
  | where isnotempty(IncidentStatus)
  | extend inc_act = split(IncidentStatus, ',')
  | where inc_act has 'New'
  | where inc_act !contains 'Block'
  | extend AccountCustomEntity = SrcUserName  
tactics:
- Exfiltration
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianViolationNotBlocked.yaml
requiredDataConnectors:
- connectorId: DigitalGuardianDLP
  dataTypes:
  - DigitalGuardianDLPEvent
status: Available
relevantTechniques:
- T1048
id: 07bca129-e7d6-4421-b489-32abade0b6a7

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/07bca129-e7d6-4421-b489-32abade0b6a7')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/07bca129-e7d6-4421-b489-32abade0b6a7')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Digital Guardian - Incident with not blocked action",
        "description": "'Detects when incident has not block action.'\n",
        "severity": "High",
        "enabled": true,
        "query": "DigitalGuardianDLPEvent\n| where isnotempty(IncidentStatus)\n| extend inc_act = split(IncidentStatus, ',')\n| where inc_act has 'New'\n| where inc_act !contains 'Block'\n| extend AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1048"
        ],
        "alertRuleTemplateName": "07bca129-e7d6-4421-b489-32abade0b6a7",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ],
            "entityType": "Account"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DigitalGuardianDLP/Analytic Rules/DigitalGuardianViolationNotBlocked.yaml",
        "templateVersion": "1.0.0",
        "status": "Available"
      }
    }
  ]
}