Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Sonrai Ticket Assigned

Back
Id37a8d052-a3db-4dc6-9dca-9390cac6f486
RulenameSonrai Ticket Assigned
DescriptionChecks if Sonrai tickets have been assigned.

It uses the action type to check if a ticket has been assigned
SeverityMedium
TacticsCollection
CommandAndControl
CredentialAccess
DefenseEvasion
Discovery
Execution
Exfiltration
Impact
InitialAccess
LateralMovement
Persistence
PrivilegeEscalation
TechniquesT1566
T1059
T1547
T1548
T1562
T1003
T1087
T1021
T1119
T1071
T1041
T1499
Required data connectorsSonraiDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiTicketAssigned.yaml
Version1.0.2
Arm template37a8d052-a3db-4dc6-9dca-9390cac6f486.json
Deploy To Azure
Sonrai_Tickets_CL
| where action_d == 4
customDetails:
  resourceType: digest_resourceType_s
  assignedTo: digest_assignedTo_s
  ticketStatus: digest_status_s
  ticketOrg: digest_org_s
  criticalResource: digest_criticalResourceName_s
  ticketSeverity: digest_severityCategory_s
  resourceLabel: digest_resourceLabel_s
  ticketName: digest_title_s
id: 37a8d052-a3db-4dc6-9dca-9390cac6f486
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiTicketAssigned.yaml
requiredDataConnectors:
- dataTypes:
  - Sonrai_Tickets_CL
  connectorId: SonraiDataConnector
description: |
  'Checks if Sonrai tickets have been assigned. 
  It uses the action type to check if a ticket has been assigned'  
severity: Medium
queryPeriod: 5m
kind: Scheduled
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Execution
- Exfiltration
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
query: |
  Sonrai_Tickets_CL
  | where action_d == 4  
version: 1.0.2
triggerThreshold: 0
name: Sonrai Ticket Assigned
entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - columnName: digest_criticalResourceName_s
    identifier: Name
status: Available
relevantTechniques:
- T1566
- T1059
- T1547
- T1548
- T1562
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
alertDetailsOverride:
  alertDisplayNameFormat: Assigned - {{digest_ticketSrn_s}} - {{digest_ticketKeyName_s}}
  alertDescriptionFormat: digest_ticketKeyDescription_s
  alertSeverityColumnName: digest_severityCategory_s
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/37a8d052-a3db-4dc6-9dca-9390cac6f486')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/37a8d052-a3db-4dc6-9dca-9390cac6f486')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "digest_ticketKeyDescription_s",
          "alertDisplayNameFormat": "Assigned - {{digest_ticketSrn_s}} - {{digest_ticketKeyName_s}}",
          "alertSeverityColumnName": "digest_severityCategory_s"
        },
        "alertRuleTemplateName": "37a8d052-a3db-4dc6-9dca-9390cac6f486",
        "customDetails": {
          "assignedTo": "digest_assignedTo_s",
          "criticalResource": "digest_criticalResourceName_s",
          "resourceLabel": "digest_resourceLabel_s",
          "resourceType": "digest_resourceType_s",
          "ticketName": "digest_title_s",
          "ticketOrg": "digest_org_s",
          "ticketSeverity": "digest_severityCategory_s",
          "ticketStatus": "digest_status_s"
        },
        "description": "'Checks if Sonrai tickets have been assigned. \nIt uses the action type to check if a ticket has been assigned'\n",
        "displayName": "Sonrai Ticket Assigned",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "digest_criticalResourceName_s",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiTicketAssigned.yaml",
        "query": "Sonrai_Tickets_CL\n| where action_d == 4\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "DefenseEvasion",
          "Discovery",
          "Execution",
          "Exfiltration",
          "Impact",
          "InitialAccess",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1041",
          "T1059",
          "T1071",
          "T1087",
          "T1119",
          "T1499",
          "T1547",
          "T1548",
          "T1562",
          "T1566"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}