Armorblox_CL
| where remediation_actions_s contains "Needs Review"
| extend users_json = parse_json(users_s)
| extend Name = users_json[0].name, Email = users_json[0].email
| project-away users_json
triggerOperator: GreaterThan
description: |
'This rule generates an alert for an Armorblox incident where the remediation action is "Needs Review".'
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDescriptionFormat: 'Incident {{id_s}} generated at {{date_t}} needs review '
alertDisplayNameFormat: Alert from Armorblox
alertSeverityColumnName: priority_s
entityMappings:
- fieldMappings:
- identifier: MailboxPrimaryAddress
columnName: Email
- identifier: DisplayName
columnName: Name
entityType: Mailbox
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox/Analytic Rules/ArmorbloxNeedsReviewAlert.yaml
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
- Armorblox_CL
connectorId: Armorblox
tactics: []
relevantTechniques: []
query: |
Armorblox_CL
| where remediation_actions_s contains "Needs Review"
| extend users_json = parse_json(users_s)
| extend Name = users_json[0].name, Email = users_json[0].email
| project-away users_json
id: 322d4765-be6b-4868-9e3f-138a4f339dd6
status: Available
customDetails:
RemediationAction: remediation_actions_s
IncidentId: id_s
severity: Medium
name: Armorblox Needs Review Alert
version: 1.0.2
queryFrequency: 10m
queryPeriod: 10m
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/322d4765-be6b-4868-9e3f-138a4f339dd6')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/322d4765-be6b-4868-9e3f-138a4f339dd6')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Incident {{id_s}} generated at {{date_t}} needs review ",
"alertDisplayNameFormat": "Alert from Armorblox",
"alertSeverityColumnName": "priority_s"
},
"alertRuleTemplateName": "322d4765-be6b-4868-9e3f-138a4f339dd6",
"customDetails": {
"IncidentId": "id_s",
"RemediationAction": "remediation_actions_s"
},
"description": "'This rule generates an alert for an Armorblox incident where the remediation action is \"Needs Review\".'\n",
"displayName": "Armorblox Needs Review Alert",
"enabled": true,
"entityMappings": [
{
"entityType": "Mailbox",
"fieldMappings": [
{
"columnName": "Email",
"identifier": "MailboxPrimaryAddress"
},
{
"columnName": "Name",
"identifier": "DisplayName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox/Analytic Rules/ArmorbloxNeedsReviewAlert.yaml",
"query": "Armorblox_CL \n| where remediation_actions_s contains \"Needs Review\"\n| extend users_json = parse_json(users_s)\n| extend Name = users_json[0].name, Email = users_json[0].email\n| project-away users_json\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [],
"techniques": [],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}
