Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Armorblox Needs Review Alert

Back
Id322d4765-be6b-4868-9e3f-138a4f339dd6
RulenameArmorblox Needs Review Alert
DescriptionThis rule generates an alert for an Armorblox incident where the remediation action is “Needs Review”.
SeverityMedium
Required data connectorsArmorblox
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox/Analytic Rules/ArmorbloxNeedsReviewAlert.yaml
Version1.0.1
Arm template322d4765-be6b-4868-9e3f-138a4f339dd6.json
Deploy To Azure
Armorblox_CL | where remediation_actions_s contains "Needs Review"
triggerOperator: GreaterThan
version: 1.0.1
query: Armorblox_CL | where remediation_actions_s contains "Needs Review"
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox/Analytic Rules/ArmorbloxNeedsReviewAlert.yaml
queryFrequency: 10m
requiredDataConnectors:
- connectorId: Armorblox
  dataTypes:
  - Armorblox_CL
incidentConfiguration:
  groupingConfiguration:
    groupByCustomDetails: []
    reopenClosedIncident: false
    groupByAlertDetails: []
    matchingMethod: AllEntities
    lookbackDuration: 10m
    enabled: false
    groupByEntities: []
  createIncident: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Armorblox Needs Review Alert
queryPeriod: 10m
severity: Medium
kind: Scheduled
alertDetailsOverride:
  alertSeverityColumnName: priority_s
  alertDescriptionFormat: 'Incident {{id_s}} generated at {{date_t}} needs review '
  alertDisplayNameFormat: Alert from Armorblox
  alertTacticsColumnName: 
id: 322d4765-be6b-4868-9e3f-138a4f339dd6
description: |
    'This rule generates an alert for an Armorblox incident where the remediation action is "Needs Review".'
customDetails:
  IncidentId: id_s
  RemediationAction: remediation_actions_s
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/322d4765-be6b-4868-9e3f-138a4f339dd6')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/322d4765-be6b-4868-9e3f-138a4f339dd6')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Armorblox Needs Review Alert",
        "description": "'This rule generates an alert for an Armorblox incident where the remediation action is \"Needs Review\".'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "Armorblox_CL | where remediation_actions_s contains \"Needs Review\"",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "alertRuleTemplateName": "322d4765-be6b-4868-9e3f-138a4f339dd6",
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "groupByCustomDetails": [],
            "reopenClosedIncident": false,
            "groupByAlertDetails": [],
            "matchingMethod": "AllEntities",
            "lookbackDuration": "PT10M",
            "enabled": false,
            "groupByEntities": []
          }
        },
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertSeverityColumnName": "priority_s",
          "alertDescriptionFormat": "Incident {{id_s}} generated at {{date_t}} needs review ",
          "alertDisplayNameFormat": "Alert from Armorblox",
          "alertTacticsColumnName": null
        },
        "customDetails": {
          "RemediationAction": "remediation_actions_s",
          "IncidentId": "id_s"
        },
        "entityMappings": null,
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox/Analytic Rules/ArmorbloxNeedsReviewAlert.yaml",
        "templateVersion": "1.0.1",
        "status": "Available"
      }
    }
  ]
}