Theom - Least priv large value shadow DB
Id | 67b9ff50-5393-49d5-b66f-05b33e2f35d2 |
Rulename | Theom - Least priv large value shadow DB |
Description | “Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0032 (Theom has observed shadow (or clone) databases/tables that have a large financial value. Additionally, it has observed roles that are overprovisioned for these data stores. As per this requirement, use this information to apply data access control lists or access permissions and enforce data retention policies)” |
Severity | High |
Tactics | Collection |
Techniques | T1560 T1530 |
Required data connectors | Theom |
Kind | Scheduled |
Query frequency | 5m |
Query period | 5m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0033_Least_priv_large_value_shadow_DB.yaml |
Version | 1.0.2 |
Arm template | 67b9ff50-5393-49d5-b66f-05b33e2f35d2.json |
TheomAlerts_CL
| where customProps_RuleId_s == "TRIS0032" and (priority_s == "P1" or priority_s == "P2")
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0033_Least_priv_large_value_shadow_DB.yaml
queryPeriod: 5m
requiredDataConnectors:
- dataTypes:
- TheomAlerts_CL
connectorId: Theom
alertDetailsOverride:
alertDescriptionFormat: |2
Summary: {{summary_s}}
Additional info: {{details_s}}
Please investigate further on Theom UI at {{deepLink_s}}
alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
relevantTechniques:
- T1560
- T1530
queryFrequency: 5m
entityMappings:
- entityType: CloudApplication
fieldMappings:
- columnName: customProps_AssetName_s
identifier: Name
- entityType: URL
fieldMappings:
- columnName: deepLink_s
identifier: Url
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |
TheomAlerts_CL
| where customProps_RuleId_s == "TRIS0032" and (priority_s == "P1" or priority_s == "P2")
id: 67b9ff50-5393-49d5-b66f-05b33e2f35d2
description: |
"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0032 (Theom has observed shadow (or clone) databases/tables that have a large financial value. Additionally, it has observed roles that are overprovisioned for these data stores. As per this requirement, use this information to apply data access control lists or access permissions and enforce data retention policies)"
name: Theom - Least priv large value shadow DB
tactics:
- Collection
version: 1.0.2
severity: High
status: Available
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/67b9ff50-5393-49d5-b66f-05b33e2f35d2')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/67b9ff50-5393-49d5-b66f-05b33e2f35d2')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "\nSummary: {{summary_s}} \nAdditional info: {{details_s}}\nPlease investigate further on Theom UI at {{deepLink_s}}\n",
"alertDisplayNameFormat": "Theom Alert ID: {{id_s}} "
},
"alertRuleTemplateName": "67b9ff50-5393-49d5-b66f-05b33e2f35d2",
"customDetails": null,
"description": "\"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0032 (Theom has observed shadow (or clone) databases/tables that have a large financial value. Additionally, it has observed roles that are overprovisioned for these data stores. As per this requirement, use this information to apply data access control lists or access permissions and enforce data retention policies)\"\n",
"displayName": "Theom - Least priv large value shadow DB",
"enabled": true,
"entityMappings": [
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "customProps_AssetName_s",
"identifier": "Name"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "deepLink_s",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0033_Least_priv_large_value_shadow_DB.yaml",
"query": "TheomAlerts_CL\n | where customProps_RuleId_s == \"TRIS0032\" and (priority_s == \"P1\" or priority_s == \"P2\")\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection"
],
"techniques": [
"T1530",
"T1560"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}