Pathlock_TDnR_CL
| where DataSource == "SAST_RT"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Bname
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Hostname
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIp
tactics:
- Discovery
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
- Pathlock_TDnR_CL
connectorId: Pathlock_TDnR
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
groupByAlertDetails: []
lookbackDuration: 5h
groupByEntities: []
groupByCustomDetails: []
enabled: true
matchingMethod: AnyAlert
createIncident: true
id: 2a3b4c5d-6e7f-4a0b-8c1d-2e3f4a5b6c52
severity: High
eventGroupingSettings:
aggregationKind: SingleAlert
status: Available
query: |
Pathlock_TDnR_CL
| where DataSource == "SAST_RT"
| project TimeGenerated, Sysid, DataSource, Eventid, Instance, Hostname, Bname,
Tcode, Report, Area, Subid, SrcIp, DestIp, AffectedUser, LogLine,
MsgType, MsgId, MsgNo, MessageV1, MessageV2, MessageV3, MessageV4, CentralTs
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SAST_RT.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.0
name: Pathlock TDnR - RiskTrack Audit Results
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1082
description: Detects Pathlock RiskTrack audit results forwarded to Microsoft Sentinel. RiskTrack findings represent completed risk assessments identifying segregation of duties conflicts, critical access violations, and compliance gaps that require remediation or SOC awareness.
triggerOperator: gt
