Armorblox_CL
| where remediation_actions_s contains "Needs Review"
| extend users_json = parse_json(users_s)
| extend Name = users_json[0].name, Email = users_json[0].email
| project-away users_json
id: 322d4765-be6b-4868-9e3f-138a4f339dd6
severity: Medium
queryFrequency: 10m
kind: Scheduled
triggerThreshold: 0
description: |
'This rule generates an alert for an Armorblox incident where the remediation action is "Needs Review".'
version: 1.0.2
customDetails:
IncidentId: id_s
RemediationAction: remediation_actions_s
query: |
Armorblox_CL
| where remediation_actions_s contains "Needs Review"
| extend users_json = parse_json(users_s)
| extend Name = users_json[0].name, Email = users_json[0].email
| project-away users_json
name: Armorblox Needs Review Alert
queryPeriod: 10m
triggerOperator: GreaterThan
requiredDataConnectors:
- connectorId: Armorblox
dataTypes:
- Armorblox_CL
status: Available
tactics: []
relevantTechniques: []
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDisplayNameFormat: Alert from Armorblox
alertSeverityColumnName: priority_s
alertDescriptionFormat: 'Incident {{id_s}} generated at {{date_t}} needs review '
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox/Analytic Rules/ArmorbloxNeedsReviewAlert.yaml
entityMappings:
- entityType: Mailbox
fieldMappings:
- columnName: Email
identifier: MailboxPrimaryAddress
- columnName: Name
identifier: DisplayName
