Theom Medium Risks

TheomAlerts_CL
 | where priority_s == "P3"

kind: Scheduled
severity: High
status: Available
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Exfiltration
- Impact
- Reconnaissance
entityMappings:
- fieldMappings:
  - columnName: customProps_AssetName_s
    identifier: Name
  entityType: CloudApplication
- fieldMappings:
  - columnName: deepLink_s
    identifier: Url
  entityType: URL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TheomRisksMedium.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
  alertDescriptionFormat: |2

    Summary: {{summary_s}}  
    Additional info: {{details_s}}
    Please investigate further on Theom UI at {{deepLink_s}}
triggerOperator: gt
triggerThreshold: 0
queryPeriod: 5m
query: |
  TheomAlerts_CL
   | where priority_s == "P3"  
description: |
    "Creates Microsoft Sentinel incidents for medium risk Theom alerts."
queryFrequency: 5m
requiredDataConnectors:
- dataTypes:
  - TheomAlerts_CL
  connectorId: Theom
version: 1.0.2
name: Theom Medium Risks
id: 4cb34832-f73a-49f2-8d38-c2d135c5440b
relevantTechniques:
- T1592
- T1589
- T1070
- T1552
- T1619
- T1119
- T1560
- T1530
- T1213
- T1001
- T1041
- T1537
- T1485
- T1486
- T1565