Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Armorblox Needs Review Alert

Back
Id322d4765-be6b-4868-9e3f-138a4f339dd6
RulenameArmorblox Needs Review Alert
DescriptionThis rule generates an alert for an Armorblox incident where the remediation action is “Needs Review”.
SeverityMedium
Required data connectorsArmorblox
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox/Analytic Rules/ArmorbloxNeedsReviewAlert.yaml
Version1.0.2
Arm template322d4765-be6b-4868-9e3f-138a4f339dd6.json
Deploy To Azure
Armorblox_CL 
| where remediation_actions_s contains "Needs Review"
| extend users_json = parse_json(users_s)
| extend Name = users_json[0].name, Email = users_json[0].email
| project-away users_json
triggerThreshold: 0
queryFrequency: 10m
requiredDataConnectors:
- dataTypes:
  - Armorblox_CL
  connectorId: Armorblox
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox/Analytic Rules/ArmorbloxNeedsReviewAlert.yaml
queryPeriod: 10m
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
name: Armorblox Needs Review Alert
query: |
  Armorblox_CL 
  | where remediation_actions_s contains "Needs Review"
  | extend users_json = parse_json(users_s)
  | extend Name = users_json[0].name, Email = users_json[0].email
  | project-away users_json  
tactics: []
severity: Medium
version: 1.0.2
triggerOperator: GreaterThan
alertDetailsOverride:
  alertDisplayNameFormat: Alert from Armorblox
  alertSeverityColumnName: priority_s
  alertDescriptionFormat: 'Incident {{id_s}} generated at {{date_t}} needs review '
id: 322d4765-be6b-4868-9e3f-138a4f339dd6
customDetails:
  RemediationAction: remediation_actions_s
  IncidentId: id_s
description: |
    'This rule generates an alert for an Armorblox incident where the remediation action is "Needs Review".'
relevantTechniques: []
entityMappings:
- entityType: Mailbox
  fieldMappings:
  - columnName: Email
    identifier: MailboxPrimaryAddress
  - columnName: Name
    identifier: DisplayName
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/322d4765-be6b-4868-9e3f-138a4f339dd6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/322d4765-be6b-4868-9e3f-138a4f339dd6')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Incident {{id_s}} generated at {{date_t}} needs review ",
          "alertDisplayNameFormat": "Alert from Armorblox",
          "alertSeverityColumnName": "priority_s"
        },
        "alertRuleTemplateName": "322d4765-be6b-4868-9e3f-138a4f339dd6",
        "customDetails": {
          "IncidentId": "id_s",
          "RemediationAction": "remediation_actions_s"
        },
        "description": "'This rule generates an alert for an Armorblox incident where the remediation action is \"Needs Review\".'\n",
        "displayName": "Armorblox Needs Review Alert",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "Email",
                "identifier": "MailboxPrimaryAddress"
              },
              {
                "columnName": "Name",
                "identifier": "DisplayName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox/Analytic Rules/ArmorbloxNeedsReviewAlert.yaml",
        "query": "Armorblox_CL \n| where remediation_actions_s contains \"Needs Review\"\n| extend users_json = parse_json(users_s)\n| extend Name = users_json[0].name, Email = users_json[0].email\n| project-away users_json\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}