Votiro - File Blocked from Connector
Id | 17bf3780-ae0d-4cd9-a884-5df8b687f3f5 |
Rulename | Votiro - File Blocked from Connector |
Description | The analytic rule is intended to detect when a file is blocked by Votiro Sanitization Engine due to a specific policy, and notify the appropriate parties so that they can take appropriate action. The alert message will state that a file with a specific name and hash value was blocked by Votiro Sanatization Engine due to a specific policy name, and that more details can be found at a specific incident URL. |
Severity | Low |
Tactics | DefenseEvasion Discovery Impact |
Techniques | T1036 T1083 T1057 T1082 T1565 T1498 T0837 |
Required data connectors | Votiro |
Kind | Scheduled |
Query frequency | 10m |
Query period | 10m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Votiro/Analytic Rules/VotiroFileBlockedFromConnector.yaml |
Version | 1.0.0 |
Arm template | 17bf3780-ae0d-4cd9-a884-5df8b687f3f5.json |
let Votiro_view = view () { VotiroEvents | where sanitizationResult has "Blocked" and passwordProtected == "false" and from =~ "null" | extend FileWithConnectorDetails = strcat_delim(' ', fileName, 'with the hash', SrcFileSHA256, 'that was sent from connector', connectorName) | summarize count() by fileName, SrcFileSHA256, FileWithConnectorDetails, policyName, tostring(incidentURL), sanitizationResult, LogSeverity | extend FileHashAlgo = "SHA256", FileHashValue = SrcFileSHA256};Votiro_view
severity: Low
name: Votiro - File Blocked from Connector
incidentConfiguration:
createIncident: true
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: Votiro
alertDetailsOverride:
alertSeverityColumnName: LogSeverity
alertTacticsColumnName: sanitizationResult
alertDescriptionFormat: The {{FileWithConnectorDetails}} was blocked by Votiro due to Policy rules, see more detail in the following link {{incidentURL}}
alertDisplayNameFormat: File with hash {{SrcFileSHA256}} was blocked
id: 17bf3780-ae0d-4cd9-a884-5df8b687f3f5
tactics:
- DefenseEvasion
- Discovery
- Impact
queryFrequency: 10m
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Votiro/Analytic Rules/VotiroFileBlockedFromConnector.yaml
description: |
'The analytic rule is intended to detect when a file is blocked by Votiro Sanitization Engine due to a specific policy, and notify the appropriate parties so that they can take appropriate action. The alert message will state that a file with a specific name and hash value was blocked by Votiro Sanatization Engine due to a specific policy name, and that more details can be found at a specific incident URL.'
triggerThreshold: 0
kind: Scheduled
relevantTechniques:
- T1036
- T1083
- T1057
- T1082
- T1565
- T1498
- T0837
query: let Votiro_view = view () { VotiroEvents | where sanitizationResult has "Blocked" and passwordProtected == "false" and from =~ "null" | extend FileWithConnectorDetails = strcat_delim(' ', fileName, 'with the hash', SrcFileSHA256, 'that was sent from connector', connectorName) | summarize count() by fileName, SrcFileSHA256, FileWithConnectorDetails, policyName, tostring(incidentURL), sanitizationResult, LogSeverity | extend FileHashAlgo = "SHA256", FileHashValue = SrcFileSHA256};Votiro_view
entityMappings:
- entityType: FileHash
fieldMappings:
- columnName: FileHashAlgo
identifier: Algorithm
- columnName: FileHashValue
identifier: Value
version: 1.0.0
queryPeriod: 10m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/17bf3780-ae0d-4cd9-a884-5df8b687f3f5')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/17bf3780-ae0d-4cd9-a884-5df8b687f3f5')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Votiro - File Blocked from Connector",
"description": "'The analytic rule is intended to detect when a file is blocked by Votiro Sanitization Engine due to a specific policy, and notify the appropriate parties so that they can take appropriate action. The alert message will state that a file with a specific name and hash value was blocked by Votiro Sanatization Engine due to a specific policy name, and that more details can be found at a specific incident URL.'\n",
"severity": "Low",
"enabled": true,
"query": "let Votiro_view = view () { VotiroEvents | where sanitizationResult has \"Blocked\" and passwordProtected == \"false\" and from =~ \"null\" | extend FileWithConnectorDetails = strcat_delim(' ', fileName, 'with the hash', SrcFileSHA256, 'that was sent from connector', connectorName) | summarize count() by fileName, SrcFileSHA256, FileWithConnectorDetails, policyName, tostring(incidentURL), sanitizationResult, LogSeverity | extend FileHashAlgo = \"SHA256\", FileHashValue = SrcFileSHA256};Votiro_view",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Discovery",
"Impact"
],
"techniques": [
"T1036",
"T1083",
"T1057",
"T1082",
"T1565",
"T1498",
"T0837"
],
"alertRuleTemplateName": "17bf3780-ae0d-4cd9-a884-5df8b687f3f5",
"incidentConfiguration": {
"createIncident": true
},
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertSeverityColumnName": "LogSeverity",
"alertTacticsColumnName": "sanitizationResult",
"alertDescriptionFormat": "The {{FileWithConnectorDetails}} was blocked by Votiro due to Policy rules, see more detail in the following link {{incidentURL}}",
"alertDisplayNameFormat": "File with hash {{SrcFileSHA256}} was blocked"
},
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "Algorithm",
"columnName": "FileHashAlgo"
},
{
"identifier": "Value",
"columnName": "FileHashValue"
}
],
"entityType": "FileHash"
}
],
"templateVersion": "1.0.0",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Votiro/Analytic Rules/VotiroFileBlockedFromConnector.yaml"
}
}
]
}