Armorblox_CL | where remediation_actions_s contains "Needs Review"
queryFrequency: 10m
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox/Analytic Rules/ArmorbloxNeedsReviewAlert.yaml
query: Armorblox_CL | where remediation_actions_s contains "Needs Review"
id: 322d4765-be6b-4868-9e3f-138a4f339dd6
triggerOperator: GreaterThan
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByAlertDetails: []
groupByEntities: []
reopenClosedIncident: false
enabled: false
lookbackDuration: 10m
matchingMethod: AllEntities
groupByCustomDetails: []
requiredDataConnectors:
- connectorId: Armorblox
dataTypes:
- Armorblox_CL
eventGroupingSettings:
aggregationKind: AlertPerResult
customDetails:
RemediationAction: remediation_actions_s
IncidentId: id_s
description: |
'This rule generates an alert for an Armorblox incident where the remediation action is "Needs Review".'
alertDetailsOverride:
alertSeverityColumnName: priority_s
alertDescriptionFormat: 'Incident {{id_s}} generated at {{date_t}} needs review '
alertTacticsColumnName:
alertDisplayNameFormat: Alert from Armorblox
status: Available
name: Armorblox Needs Review Alert
version: 1.0.1
queryPeriod: 10m
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/322d4765-be6b-4868-9e3f-138a4f339dd6')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/322d4765-be6b-4868-9e3f-138a4f339dd6')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Armorblox Needs Review Alert",
"description": "'This rule generates an alert for an Armorblox incident where the remediation action is \"Needs Review\".'\n",
"severity": "Medium",
"enabled": true,
"query": "Armorblox_CL | where remediation_actions_s contains \"Needs Review\"",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"alertRuleTemplateName": "322d4765-be6b-4868-9e3f-138a4f339dd6",
"incidentConfiguration": {
"groupingConfiguration": {
"groupByAlertDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT10M",
"groupByCustomDetails": [],
"reopenClosedIncident": false,
"enabled": false,
"matchingMethod": "AllEntities"
},
"createIncident": true
},
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertSeverityColumnName": "priority_s",
"alertDisplayNameFormat": "Alert from Armorblox",
"alertTacticsColumnName": null,
"alertDescriptionFormat": "Incident {{id_s}} generated at {{date_t}} needs review "
},
"customDetails": {
"RemediationAction": "remediation_actions_s",
"IncidentId": "id_s"
},
"entityMappings": null,
"templateVersion": "1.0.1",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox/Analytic Rules/ArmorbloxNeedsReviewAlert.yaml",
"status": "Available"
}
}
]
}