Votiro - File Blocked from Connector
Id | 17bf3780-ae0d-4cd9-a884-5df8b687f3f5 |
Rulename | Votiro - File Blocked from Connector |
Description | The analytic rule is intended to detect when a file is blocked by Votiro Sanitization Engine due to a specific policy, and notify the appropriate parties so that they can take appropriate action. The alert message will state that a file with a specific name and hash value was blocked by Votiro Sanatization Engine due to a specific policy name, and that more details can be found at a specific incident URL. |
Severity | Low |
Tactics | DefenseEvasion Discovery Impact |
Techniques | T1036 T1083 T1057 T1082 T1565 T1498 T0837 |
Required data connectors | CefAma Votiro |
Kind | Scheduled |
Query frequency | 10m |
Query period | 10m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Votiro/Analytic Rules/VotiroFileBlockedFromConnector.yaml |
Version | 1.0.1 |
Arm template | 17bf3780-ae0d-4cd9-a884-5df8b687f3f5.json |
let Votiro_view = view () { VotiroEvents | where sanitizationResult has "Blocked" and passwordProtected == "false" and from =~ "null" | extend FileWithConnectorDetails = strcat_delim(' ', fileName, 'with the hash', SrcFileSHA256, 'that was sent from connector', connectorName) | summarize count() by fileName, SrcFileSHA256, FileWithConnectorDetails, policyName, tostring(incidentURL), sanitizationResult, LogSeverity | extend FileHashAlgo = "SHA256", FileHashValue = SrcFileSHA256};Votiro_view
queryPeriod: 10m
version: 1.0.1
tactics:
- DefenseEvasion
- Discovery
- Impact
queryFrequency: 10m
id: 17bf3780-ae0d-4cd9-a884-5df8b687f3f5
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: Votiro
- dataTypes:
- CommonSecurityLog
connectorId: CefAma
severity: Low
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
- entityType: FileHash
fieldMappings:
- columnName: FileHashAlgo
identifier: Algorithm
- columnName: FileHashValue
identifier: Value
triggerThreshold: 0
relevantTechniques:
- T1036
- T1083
- T1057
- T1082
- T1565
- T1498
- T0837
query: let Votiro_view = view () { VotiroEvents | where sanitizationResult has "Blocked" and passwordProtected == "false" and from =~ "null" | extend FileWithConnectorDetails = strcat_delim(' ', fileName, 'with the hash', SrcFileSHA256, 'that was sent from connector', connectorName) | summarize count() by fileName, SrcFileSHA256, FileWithConnectorDetails, policyName, tostring(incidentURL), sanitizationResult, LogSeverity | extend FileHashAlgo = "SHA256", FileHashValue = SrcFileSHA256};Votiro_view
kind: Scheduled
name: Votiro - File Blocked from Connector
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Votiro/Analytic Rules/VotiroFileBlockedFromConnector.yaml
description: |
'The analytic rule is intended to detect when a file is blocked by Votiro Sanitization Engine due to a specific policy, and notify the appropriate parties so that they can take appropriate action. The alert message will state that a file with a specific name and hash value was blocked by Votiro Sanatization Engine due to a specific policy name, and that more details can be found at a specific incident URL.'
alertDetailsOverride:
alertDescriptionFormat: The {{FileWithConnectorDetails}} was blocked by Votiro due to Policy rules, see more detail in the following link {{incidentURL}}
alertSeverityColumnName: LogSeverity
alertTacticsColumnName: sanitizationResult
alertDisplayNameFormat: File with hash {{SrcFileSHA256}} was blocked
incidentConfiguration:
createIncident: true
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/17bf3780-ae0d-4cd9-a884-5df8b687f3f5')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/17bf3780-ae0d-4cd9-a884-5df8b687f3f5')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "The {{FileWithConnectorDetails}} was blocked by Votiro due to Policy rules, see more detail in the following link {{incidentURL}}",
"alertDisplayNameFormat": "File with hash {{SrcFileSHA256}} was blocked",
"alertSeverityColumnName": "LogSeverity",
"alertTacticsColumnName": "sanitizationResult"
},
"alertRuleTemplateName": "17bf3780-ae0d-4cd9-a884-5df8b687f3f5",
"customDetails": null,
"description": "'The analytic rule is intended to detect when a file is blocked by Votiro Sanitization Engine due to a specific policy, and notify the appropriate parties so that they can take appropriate action. The alert message will state that a file with a specific name and hash value was blocked by Votiro Sanatization Engine due to a specific policy name, and that more details can be found at a specific incident URL.'\n",
"displayName": "Votiro - File Blocked from Connector",
"enabled": true,
"entityMappings": [
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "FileHashAlgo",
"identifier": "Algorithm"
},
{
"columnName": "FileHashValue",
"identifier": "Value"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Votiro/Analytic Rules/VotiroFileBlockedFromConnector.yaml",
"query": "let Votiro_view = view () { VotiroEvents | where sanitizationResult has \"Blocked\" and passwordProtected == \"false\" and from =~ \"null\" | extend FileWithConnectorDetails = strcat_delim(' ', fileName, 'with the hash', SrcFileSHA256, 'that was sent from connector', connectorName) | summarize count() by fileName, SrcFileSHA256, FileWithConnectorDetails, policyName, tostring(incidentURL), sanitizationResult, LogSeverity | extend FileHashAlgo = \"SHA256\", FileHashValue = SrcFileSHA256};Votiro_view",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "Low",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Discovery",
"Impact"
],
"techniques": [
"T1036",
"T1057",
"T1082",
"T1083",
"T1498",
"T1565"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}