Guardian- Sentiment Policy Violation Detection

Back


Id	24538989-9dea-4cc7-aa78-0969ca116051
Rulename	Guardian- Sentiment Policy Violation Detection
Description	This alert creates an incident when Sentiment Policy Violation detected from the Guardian.
Severity	Low
Required data connectors	BoschAIShield
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield AI Security Monitoring/Analytic Rules/SentimentVulDetection.yaml
Version	1.0.0
Arm template	24538989-9dea-4cc7-aa78-0969ca116051.json

KQL

Guardian
| where PolicyViolatedControlFeature =~ 'Sentiment'
| where Severity =~ 'Low'

YAML

name: Guardian- Sentiment Policy Violation Detection
tactics: []
alertDetailsOverride:
  alertDisplayNameFormat: Guardian- Sentiment Policy Violation detection
  alertSeverityColumnName: Severity
  alertTacticsColumnName: 
  alertDescriptionFormat: |
        This query detects Sentiment Policy Violation detected from the Guardian generated at {{TimeGenerated}}.\n\nPlease check the source for more information and investigate further.
description: |
    'This alert creates an incident when Sentiment Policy Violation detected from the Guardian.'
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostName
    identifier: HostName
  - columnName: NTDomain
    identifier: NTDomain
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield AI Security Monitoring/Analytic Rules/SentimentVulDetection.yaml
version: 1.0.0
triggerThreshold: 0
queryFrequency: 1h
kind: Scheduled
triggerOperator: gt
relevantTechniques: []
eventGroupingSettings:
  aggregationKind: SingleAlert
requiredDataConnectors:
- connectorId: BoschAIShield
  dataTypes:
  - Guardian
severity: Low
queryPeriod: 1h
status: Available
query: |
  Guardian
  | where PolicyViolatedControlFeature =~ 'Sentiment'
  | where Severity =~ 'Low'  
id: 24538989-9dea-4cc7-aa78-0969ca116051

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/24538989-9dea-4cc7-aa78-0969ca116051')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/24538989-9dea-4cc7-aa78-0969ca116051')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "This query detects Sentiment Policy Violation detected from the Guardian generated at {{TimeGenerated}}.\\n\\nPlease check the source for more information and investigate further.\n",
          "alertDisplayNameFormat": "Guardian- Sentiment Policy Violation detection",
          "alertSeverityColumnName": "Severity",
          "alertTacticsColumnName": null
        },
        "alertRuleTemplateName": "24538989-9dea-4cc7-aa78-0969ca116051",
        "customDetails": null,
        "description": "'This alert creates an incident when Sentiment Policy Violation detected from the Guardian.'\n",
        "displayName": "Guardian- Sentiment Policy Violation Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield AI Security Monitoring/Analytic Rules/SentimentVulDetection.yaml",
        "query": "Guardian\n| where PolicyViolatedControlFeature =~ 'Sentiment'\n| where Severity =~ 'Low'\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}