Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Flow Logs Alerts for Prancer

Back
Id59336232-1bbc-4f66-90dd-5ac3708e4405
RulenameFlow Logs Alerts for Prancer
DescriptionHigh severity flow Log alerts found by Prancer.
SeverityHigh
TacticsReconnaissance
TechniquesT1595
Required data connectorsPrancerLogData
KindScheduled
Query frequency5h
Query period5h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Prancer PenSuiteAI Integration/Analytic Rules/Flow_Logs_High_Severity.yaml
Version1.0.3
Arm template59336232-1bbc-4f66-90dd-5ac3708e4405.json
Deploy To Azure
union prancer_CL
| where deviceProduct_s == 'azure'
| where parse_json(data_data_snapshots_s)[0].type == 'Microsoft.Network/networkWatchers/flowLogs'
| where data_data_severity_s == 'High' and data_data_result_s == 'failed'
| extend snapshot = parse_json(data_data_snapshots_s)
| mv-expand snapshot 
| extend
    id = tostring(snapshot.id),
    structure = tostring(snapshot.structure),
    reference = tostring(snapshot.reference),
    source = tostring(snapshot.source),
    collection = tostring(snapshot.collection),
    type = tostring(snapshot.type),
    region = tostring(snapshot.region),
    resourceTypes = tostring(snapshot.resourceTypes),
    path = tostring(snapshot.path)
severity: High
id: 59336232-1bbc-4f66-90dd-5ac3708e4405
customDetails: 
queryPeriod: 5h
queryFrequency: 5h
triggerOperator: gt
status: Available
relevantTechniques:
- T1595
tactics:
- Reconnaissance
kind: Scheduled
alertDetailsOverride:
  alertDescriptionFormat: '{{data_data_description_s}}'
  alertDynamicProperties:
  - alertProperty: RemediationSteps
    value: data_data_remediation_description_s
  alertSeverityColumnName: '{{data_data_severity_s}}'
  alertDisplayNameFormat: '{{data_data_message_s}}'
description: |
    'High severity flow Log alerts found by Prancer.'
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Prancer PenSuiteAI Integration/Analytic Rules/Flow_Logs_High_Severity.yaml
requiredDataConnectors:
- dataTypes:
  - prancer_CL
  connectorId: PrancerLogData
entityMappings:
- entityType: AzureResource
  fieldMappings:
  - columnName: path
    identifier: ResourceId
query: |
  union prancer_CL
  | where deviceProduct_s == 'azure'
  | where parse_json(data_data_snapshots_s)[0].type == 'Microsoft.Network/networkWatchers/flowLogs'
  | where data_data_severity_s == 'High' and data_data_result_s == 'failed'
  | extend snapshot = parse_json(data_data_snapshots_s)
  | mv-expand snapshot 
  | extend
      id = tostring(snapshot.id),
      structure = tostring(snapshot.structure),
      reference = tostring(snapshot.reference),
      source = tostring(snapshot.source),
      collection = tostring(snapshot.collection),
      type = tostring(snapshot.type),
      region = tostring(snapshot.region),
      resourceTypes = tostring(snapshot.resourceTypes),
      path = tostring(snapshot.path)  
version: 1.0.3
name: Flow Logs Alerts for Prancer
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/59336232-1bbc-4f66-90dd-5ac3708e4405')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/59336232-1bbc-4f66-90dd-5ac3708e4405')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{data_data_description_s}}",
          "alertDisplayNameFormat": "{{data_data_message_s}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "RemediationSteps",
              "value": "data_data_remediation_description_s"
            }
          ],
          "alertSeverityColumnName": "{{data_data_severity_s}}"
        },
        "alertRuleTemplateName": "59336232-1bbc-4f66-90dd-5ac3708e4405",
        "customDetails": null,
        "description": "'High severity flow Log alerts found by Prancer.'\n",
        "displayName": "Flow Logs Alerts for Prancer",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "path",
                "identifier": "ResourceId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Prancer PenSuiteAI Integration/Analytic Rules/Flow_Logs_High_Severity.yaml",
        "query": "union prancer_CL\n| where deviceProduct_s == 'azure'\n| where parse_json(data_data_snapshots_s)[0].type == 'Microsoft.Network/networkWatchers/flowLogs'\n| where data_data_severity_s == 'High' and data_data_result_s == 'failed'\n| extend snapshot = parse_json(data_data_snapshots_s)\n| mv-expand snapshot \n| extend\n    id = tostring(snapshot.id),\n    structure = tostring(snapshot.structure),\n    reference = tostring(snapshot.reference),\n    source = tostring(snapshot.source),\n    collection = tostring(snapshot.collection),\n    type = tostring(snapshot.type),\n    region = tostring(snapshot.region),\n    resourceTypes = tostring(snapshot.resourceTypes),\n    path = tostring(snapshot.path)\n",
        "queryFrequency": "PT5H",
        "queryPeriod": "PT5H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Reconnaissance"
        ],
        "techniques": [
          "T1595"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}