Sonrai Ticket Escalation Executed

Back


Id	0d29c93e-b83f-4dfb-bbbb-76824b77eeca
Rulename	Sonrai Ticket Escalation Executed
Description	Checks if Sonrai tickets have had a comment added. It uses the action type to check if a ticket has had a comment added
Severity	Medium
Tactics	Collection CommandAndControl CredentialAccess DefenseEvasion Discovery Execution Exfiltration Impact InitialAccess LateralMovement Persistence PrivilegeEscalation
Techniques	T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499
Required data connectors	SonraiDataConnector
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiTicketCommentAdded.yaml
Version	1.0.2
Arm template	0d29c93e-b83f-4dfb-bbbb-76824b77eeca.json

KQL

Sonrai_Tickets_CL
| where action_d == 9

YAML

query: |
  Sonrai_Tickets_CL
  | where action_d == 9  
relevantTechniques:
- T1566
- T1059
- T1547
- T1548
- T1562
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
name: Sonrai Ticket Escalation Executed
severity: Medium
triggerThreshold: 0
description: |
  'Checks if Sonrai tickets have had a comment added. 
  It uses the action type to check if a ticket has had a comment added'  
status: Available
triggerOperator: gt
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Execution
- Exfiltration
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
entityMappings:
- fieldMappings:
  - columnName: digest_criticalResourceName_s
    identifier: Name
  entityType: CloudApplication
customDetails:
  ticketStatus: digest_status_s
  ticketName: digest_title_s
  ticketOrg: digest_org_s
  resourceLabel: digest_resourceLabel_s
  resourceType: digest_resourceType_s
  criticalResource: digest_criticalResourceName_s
  ticketSeverity: digest_severityCategory_s
requiredDataConnectors:
- connectorId: SonraiDataConnector
  dataTypes:
  - Sonrai_Tickets_CL
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDescriptionFormat: digest_ticketKeyDescription_s
  alertSeverityColumnName: digest_severityCategory_s
  alertDisplayNameFormat: Comment Added - {{digest_ticketSrn_s}} - {{digest_ticketKeyName_s}}
id: 0d29c93e-b83f-4dfb-bbbb-76824b77eeca
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiTicketCommentAdded.yaml
queryPeriod: 5m
queryFrequency: 5m
version: 1.0.2
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0d29c93e-b83f-4dfb-bbbb-76824b77eeca')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0d29c93e-b83f-4dfb-bbbb-76824b77eeca')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "digest_ticketKeyDescription_s",
          "alertDisplayNameFormat": "Comment Added - {{digest_ticketSrn_s}} - {{digest_ticketKeyName_s}}",
          "alertSeverityColumnName": "digest_severityCategory_s"
        },
        "alertRuleTemplateName": "0d29c93e-b83f-4dfb-bbbb-76824b77eeca",
        "customDetails": {
          "criticalResource": "digest_criticalResourceName_s",
          "resourceLabel": "digest_resourceLabel_s",
          "resourceType": "digest_resourceType_s",
          "ticketName": "digest_title_s",
          "ticketOrg": "digest_org_s",
          "ticketSeverity": "digest_severityCategory_s",
          "ticketStatus": "digest_status_s"
        },
        "description": "'Checks if Sonrai tickets have had a comment added. \nIt uses the action type to check if a ticket has had a comment added'\n",
        "displayName": "Sonrai Ticket Escalation Executed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "digest_criticalResourceName_s",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiTicketCommentAdded.yaml",
        "query": "Sonrai_Tickets_CL\n| where action_d == 9\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "DefenseEvasion",
          "Discovery",
          "Execution",
          "Exfiltration",
          "Impact",
          "InitialAccess",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1041",
          "T1059",
          "T1071",
          "T1087",
          "T1119",
          "T1499",
          "T1547",
          "T1548",
          "T1562",
          "T1566"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}