Guardian- Content Access Control Blocked List Policy Violation Detection

Back


Id	4c7f0b49-d972-4d26-81ab-36cbe43ac437
Rulename	Guardian- Content Access Control Blocked List Policy Violation Detection
Description	This alert creates an incident when Content Access Control Blocked List Policy Violation detected from the Guardian.
Severity	Medium
Required data connectors	BoschAIShield
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield AI Security Monitoring/Analytic Rules/ContentAccessControlBlockedListVulDetection.yaml
Version	1.0.0
Arm template	4c7f0b49-d972-4d26-81ab-36cbe43ac437.json

KQL

Guardian
| where PolicyViolatedControlFeature =~ 'Blocked List'
| where Severity =~ 'Medium'

YAML

description: |
    'This alert creates an incident when Content Access Control Blocked List Policy Violation detected from the Guardian.'
alertDetailsOverride:
  alertSeverityColumnName: Severity
  alertDisplayNameFormat: Guardian- Content Access Control Blocked List Policy Violation detection
  alertDescriptionFormat: |
        This query detects Content Access Control Blocked List Policy Violation detected from the Guardian generated at {{TimeGenerated}}.\n\nPlease check the source for more information and investigate further
  alertTacticsColumnName: 
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - Guardian
  connectorId: BoschAIShield
query: |
  Guardian
  | where PolicyViolatedControlFeature =~ 'Blocked List'
  | where Severity =~ 'Medium'  
name: Guardian- Content Access Control Blocked List Policy Violation Detection
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: HostName
  - identifier: NTDomain
    columnName: NTDomain
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIP
kind: Scheduled
severity: Medium
relevantTechniques: []
tactics: []
queryFrequency: 1h
version: 1.0.0
queryPeriod: 1h
triggerThreshold: 0
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield AI Security Monitoring/Analytic Rules/ContentAccessControlBlockedListVulDetection.yaml
id: 4c7f0b49-d972-4d26-81ab-36cbe43ac437
eventGroupingSettings:
  aggregationKind: SingleAlert

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4c7f0b49-d972-4d26-81ab-36cbe43ac437')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4c7f0b49-d972-4d26-81ab-36cbe43ac437')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "This query detects Content Access Control Blocked List Policy Violation detected from the Guardian generated at {{TimeGenerated}}.\\n\\nPlease check the source for more information and investigate further\n",
          "alertDisplayNameFormat": "Guardian- Content Access Control Blocked List Policy Violation detection",
          "alertSeverityColumnName": "Severity",
          "alertTacticsColumnName": null
        },
        "alertRuleTemplateName": "4c7f0b49-d972-4d26-81ab-36cbe43ac437",
        "customDetails": null,
        "description": "'This alert creates an incident when Content Access Control Blocked List Policy Violation detected from the Guardian.'\n",
        "displayName": "Guardian- Content Access Control Blocked List Policy Violation Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield AI Security Monitoring/Analytic Rules/ContentAccessControlBlockedListVulDetection.yaml",
        "query": "Guardian\n| where PolicyViolatedControlFeature =~ 'Blocked List'\n| where Severity =~ 'Medium'\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}