Armorblox_CL | where remediation_actions_s contains "Needs Review"
triggerOperator: GreaterThan
version: 1.0.1
query: Armorblox_CL | where remediation_actions_s contains "Needs Review"
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox/Analytic Rules/ArmorbloxNeedsReviewAlert.yaml
queryFrequency: 10m
requiredDataConnectors:
- connectorId: Armorblox
dataTypes:
- Armorblox_CL
incidentConfiguration:
groupingConfiguration:
groupByCustomDetails: []
reopenClosedIncident: false
groupByAlertDetails: []
matchingMethod: AllEntities
lookbackDuration: 10m
enabled: false
groupByEntities: []
createIncident: true
eventGroupingSettings:
aggregationKind: AlertPerResult
name: Armorblox Needs Review Alert
queryPeriod: 10m
severity: Medium
kind: Scheduled
alertDetailsOverride:
alertSeverityColumnName: priority_s
alertDescriptionFormat: 'Incident {{id_s}} generated at {{date_t}} needs review '
alertDisplayNameFormat: Alert from Armorblox
alertTacticsColumnName:
id: 322d4765-be6b-4868-9e3f-138a4f339dd6
description: |
'This rule generates an alert for an Armorblox incident where the remediation action is "Needs Review".'
customDetails:
IncidentId: id_s
RemediationAction: remediation_actions_s
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/322d4765-be6b-4868-9e3f-138a4f339dd6')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/322d4765-be6b-4868-9e3f-138a4f339dd6')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Armorblox Needs Review Alert",
"description": "'This rule generates an alert for an Armorblox incident where the remediation action is \"Needs Review\".'\n",
"severity": "Medium",
"enabled": true,
"query": "Armorblox_CL | where remediation_actions_s contains \"Needs Review\"",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"alertRuleTemplateName": "322d4765-be6b-4868-9e3f-138a4f339dd6",
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"groupByCustomDetails": [],
"reopenClosedIncident": false,
"groupByAlertDetails": [],
"matchingMethod": "AllEntities",
"lookbackDuration": "PT10M",
"enabled": false,
"groupByEntities": []
}
},
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertSeverityColumnName": "priority_s",
"alertDescriptionFormat": "Incident {{id_s}} generated at {{date_t}} needs review ",
"alertDisplayNameFormat": "Alert from Armorblox",
"alertTacticsColumnName": null
},
"customDetails": {
"RemediationAction": "remediation_actions_s",
"IncidentId": "id_s"
},
"entityMappings": null,
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox/Analytic Rules/ArmorbloxNeedsReviewAlert.yaml",
"templateVersion": "1.0.1",
"status": "Available"
}
}
]
}