Sonrai Ticket Risk Accepted

Back


Id	080191e8-271d-4ae6-85ce-c7bcd4b06b40
Rulename	Sonrai Ticket Risk Accepted
Description	Checks if Sonrai tickets have had their risk accepted. It uses the action type to check if a ticket has had it’s risk accepted
Severity	Medium
Tactics	Collection CommandAndControl CredentialAccess DefenseEvasion Discovery Execution Exfiltration Impact InitialAccess LateralMovement Persistence PrivilegeEscalation
Techniques	T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499
Required data connectors	SonraiDataConnector
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiTicketRiskAccepted.yaml
Version	1.0.2
Arm template	080191e8-271d-4ae6-85ce-c7bcd4b06b40.json

KQL

Sonrai_Tickets_CL
| where action_d == 7

YAML

entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: digest_criticalResourceName_s
name: Sonrai Ticket Risk Accepted
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Execution
- Exfiltration
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
severity: Medium
triggerThreshold: 0
relevantTechniques:
- T1566
- T1059
- T1547
- T1548
- T1562
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
id: 080191e8-271d-4ae6-85ce-c7bcd4b06b40
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiTicketRiskAccepted.yaml
customDetails:
  ticketSeverity: digest_severityCategory_s
  ticketName: digest_title_s
  resourceLabel: digest_resourceLabel_s
  resourceType: digest_resourceType_s
  ticketOrg: digest_org_s
  ticketStatus: digest_status_s
  criticalResource: digest_criticalResourceName_s
queryFrequency: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: gt
query: |
  Sonrai_Tickets_CL
  | where action_d == 7  
description: |
  'Checks if Sonrai tickets have had their risk accepted. 
  It uses the action type to check if a ticket has had it's risk accepted'  
requiredDataConnectors:
- connectorId: SonraiDataConnector
  dataTypes:
  - Sonrai_Tickets_CL
status: Available
queryPeriod: 5m
alertDetailsOverride:
  alertSeverityColumnName: digest_severityCategory_s
  alertDescriptionFormat: digest_ticketKeyDescription_s
  alertDisplayNameFormat: Risk Accepted - {{digest_ticketSrn_s}} - {{digest_ticketKeyName_s}}
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/080191e8-271d-4ae6-85ce-c7bcd4b06b40')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/080191e8-271d-4ae6-85ce-c7bcd4b06b40')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "digest_ticketKeyDescription_s",
          "alertDisplayNameFormat": "Risk Accepted - {{digest_ticketSrn_s}} - {{digest_ticketKeyName_s}}",
          "alertSeverityColumnName": "digest_severityCategory_s"
        },
        "alertRuleTemplateName": "080191e8-271d-4ae6-85ce-c7bcd4b06b40",
        "customDetails": {
          "criticalResource": "digest_criticalResourceName_s",
          "resourceLabel": "digest_resourceLabel_s",
          "resourceType": "digest_resourceType_s",
          "ticketName": "digest_title_s",
          "ticketOrg": "digest_org_s",
          "ticketSeverity": "digest_severityCategory_s",
          "ticketStatus": "digest_status_s"
        },
        "description": "'Checks if Sonrai tickets have had their risk accepted. \nIt uses the action type to check if a ticket has had it's risk accepted'\n",
        "displayName": "Sonrai Ticket Risk Accepted",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "digest_criticalResourceName_s",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiTicketRiskAccepted.yaml",
        "query": "Sonrai_Tickets_CL\n| where action_d == 7\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "DefenseEvasion",
          "Discovery",
          "Execution",
          "Exfiltration",
          "Impact",
          "InitialAccess",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1041",
          "T1059",
          "T1071",
          "T1087",
          "T1119",
          "T1499",
          "T1547",
          "T1548",
          "T1562",
          "T1566"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}