Palo Alto Prisma Cloud - Maximum risk score alert

Back


Id	119a574d-f37a-403a-a67a-4d6f5083d9cf
Rulename	Palo Alto Prisma Cloud - Maximum risk score alert
Description	Detects alerts with maximum risk score value.
Severity	Medium
Tactics	InitialAccess
Techniques	T1133
Required data connectors	PaloAltoPrismaCloud
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudMaxRiskScoreAlert.yaml
Version	1.0.1
Arm template	119a574d-f37a-403a-a67a-4d6f5083d9cf.json

KQL

PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where Status =~ 'open'
| where RiskDetailRiskScoreScore == RiskDetailRiskScoreMaxScore
| extend AccountCustomEntity = UserName

YAML

name: Palo Alto Prisma Cloud - Maximum risk score alert
status: Available
triggerThreshold: 0
severity: Medium
tactics:
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudMaxRiskScoreAlert.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
queryPeriod: 1h
queryFrequency: 1h
version: 1.0.1
triggerOperator: gt
description: |
    'Detects alerts with maximum risk score value.'
query: |
  PaloAltoPrismaCloud
  | where Reason =~ 'NEW_ALERT'
  | where Status =~ 'open'
  | where RiskDetailRiskScoreScore == RiskDetailRiskScoreMaxScore
  | extend AccountCustomEntity = UserName  
relevantTechniques:
- T1133
id: 119a574d-f37a-403a-a67a-4d6f5083d9cf
requiredDataConnectors:
- dataTypes:
  - PaloAltoPrismaCloud
  connectorId: PaloAltoPrismaCloud
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/119a574d-f37a-403a-a67a-4d6f5083d9cf')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/119a574d-f37a-403a-a67a-4d6f5083d9cf')]",
      "properties": {
        "alertRuleTemplateName": "119a574d-f37a-403a-a67a-4d6f5083d9cf",
        "customDetails": null,
        "description": "'Detects alerts with maximum risk score value.'\n",
        "displayName": "Palo Alto Prisma Cloud - Maximum risk score alert",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudMaxRiskScoreAlert.yaml",
        "query": "PaloAltoPrismaCloud\n| where Reason =~ 'NEW_ALERT'\n| where Status =~ 'open'\n| where RiskDetailRiskScoreScore == RiskDetailRiskScoreMaxScore\n| extend AccountCustomEntity = UserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}