Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Storage Accounts Alerts From Prancer

Back
Id4adf2b5d-6b88-4b96-8cc2-a3c7fbbee10b
RulenameStorage Accounts Alerts From Prancer
DescriptionHigh severity storage account alerts found by Prancer.
SeverityHigh
TacticsReconnaissance
TechniquesT1595
Required data connectorsPrancerLogData
KindScheduled
Query frequency5h
Query period5h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Prancer PenSuiteAI Integration/Analytic Rules/Storage_Accounts_High_Severity.yaml
Version1.0.2
Arm template4adf2b5d-6b88-4b96-8cc2-a3c7fbbee10b.json
Deploy To Azure
union prancer_CL
| where deviceProduct_s == 'azure'
| where parse_json(data_data_snapshots_s)[0].type == 'Microsoft.Storage/storageAccounts'
| where data_data_severity_s == 'High' and data_data_result_s == 'failed'
| extend snapshot = parse_json(data_data_snapshots_s)
| mv-expand snapshot 
| extend
    id = tostring(snapshot.id),
    structure = tostring(snapshot.structure),
    reference = tostring(snapshot.reference),
    source = tostring(snapshot.source),
    collection = tostring(snapshot.collection),
    type = tostring(snapshot.type),
    region = tostring(snapshot.region),
    resourceTypes = tostring(snapshot.resourceTypes),
    path = tostring(snapshot.path)
alertDetailsOverride:
  alertDescriptionFormat: '{{data_data_description_s}}'
  alertDisplayNameFormat: '{{data_data_message_s}}'
  alertDynamicProperties:
  - value: data_data_remediation_description_s
    alertProperty: RemediationSteps
  alertSeverityColumnName: '{{data_data_severity_s}}'
query: |
  union prancer_CL
  | where deviceProduct_s == 'azure'
  | where parse_json(data_data_snapshots_s)[0].type == 'Microsoft.Storage/storageAccounts'
  | where data_data_severity_s == 'High' and data_data_result_s == 'failed'
  | extend snapshot = parse_json(data_data_snapshots_s)
  | mv-expand snapshot 
  | extend
      id = tostring(snapshot.id),
      structure = tostring(snapshot.structure),
      reference = tostring(snapshot.reference),
      source = tostring(snapshot.source),
      collection = tostring(snapshot.collection),
      type = tostring(snapshot.type),
      region = tostring(snapshot.region),
      resourceTypes = tostring(snapshot.resourceTypes),
      path = tostring(snapshot.path)  
relevantTechniques:
- T1595
entityMappings:
- entityType: AzureResource
  fieldMappings:
  - columnName: path
    identifier: ResourceId
triggerOperator: gt
triggerThreshold: 0
queryPeriod: 5h
customDetails: 
tactics:
- Reconnaissance
id: 4adf2b5d-6b88-4b96-8cc2-a3c7fbbee10b
eventGroupingSettings:
  aggregationKind: SingleAlert
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Prancer PenSuiteAI Integration/Analytic Rules/Storage_Accounts_High_Severity.yaml
description: |
    'High severity storage account alerts found by Prancer.'
queryFrequency: 5h
name: Storage Accounts Alerts From Prancer
severity: High
version: 1.0.2
status: Available
requiredDataConnectors:
- dataTypes:
  - prancer_CL
  connectorId: PrancerLogData
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4adf2b5d-6b88-4b96-8cc2-a3c7fbbee10b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4adf2b5d-6b88-4b96-8cc2-a3c7fbbee10b')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{data_data_description_s}}",
          "alertDisplayNameFormat": "{{data_data_message_s}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "RemediationSteps",
              "value": "data_data_remediation_description_s"
            }
          ],
          "alertSeverityColumnName": "{{data_data_severity_s}}"
        },
        "alertRuleTemplateName": "4adf2b5d-6b88-4b96-8cc2-a3c7fbbee10b",
        "customDetails": null,
        "description": "'High severity storage account alerts found by Prancer.'\n",
        "displayName": "Storage Accounts Alerts From Prancer",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "path",
                "identifier": "ResourceId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Prancer PenSuiteAI Integration/Analytic Rules/Storage_Accounts_High_Severity.yaml",
        "query": "union prancer_CL\n| where deviceProduct_s == 'azure'\n| where parse_json(data_data_snapshots_s)[0].type == 'Microsoft.Storage/storageAccounts'\n| where data_data_severity_s == 'High' and data_data_result_s == 'failed'\n| extend snapshot = parse_json(data_data_snapshots_s)\n| mv-expand snapshot \n| extend\n    id = tostring(snapshot.id),\n    structure = tostring(snapshot.structure),\n    reference = tostring(snapshot.reference),\n    source = tostring(snapshot.source),\n    collection = tostring(snapshot.collection),\n    type = tostring(snapshot.type),\n    region = tostring(snapshot.region),\n    resourceTypes = tostring(snapshot.resourceTypes),\n    path = tostring(snapshot.path)\n",
        "queryFrequency": "PT5H",
        "queryPeriod": "PT5H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Reconnaissance"
        ],
        "techniques": [
          "T1595"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}