TheomAlerts_CL
| where customProps_RuleId_s == "TRIS0032" and (priority_s == "P1" or priority_s == "P2")
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0033_Least_priv_large_value_shadow_DB.yaml
description: |
"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0032 (Theom has observed shadow (or clone) databases/tables that have a large financial value. Additionally, it has observed roles that are overprovisioned for these data stores. As per this requirement, use this information to apply data access control lists or access permissions and enforce data retention policies)"
triggerOperator: gt
queryPeriod: 5m
requiredDataConnectors:
- dataTypes:
- TheomAlerts_CL
connectorId: Theom
queryFrequency: 5m
triggerThreshold: 0
alertDetailsOverride:
alertDescriptionFormat: |2
Summary: {{summary_s}}
Additional info: {{details_s}}
Please investigate further on Theom UI at {{deepLink_s}}
alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
query: |
TheomAlerts_CL
| where customProps_RuleId_s == "TRIS0032" and (priority_s == "P1" or priority_s == "P2")
status: Available
kind: Scheduled
version: 1.0.0
id: 67b9ff50-5393-49d5-b66f-05b33e2f35d2
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
name: Theom - Least priv large value shadow DB
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/67b9ff50-5393-49d5-b66f-05b33e2f35d2')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/67b9ff50-5393-49d5-b66f-05b33e2f35d2')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Theom - Least priv large value shadow DB",
"description": "\"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0032 (Theom has observed shadow (or clone) databases/tables that have a large financial value. Additionally, it has observed roles that are overprovisioned for these data stores. As per this requirement, use this information to apply data access control lists or access permissions and enforce data retention policies)\"\n",
"severity": "High",
"enabled": true,
"query": "TheomAlerts_CL\n | where customProps_RuleId_s == \"TRIS0032\" and (priority_s == \"P1\" or priority_s == \"P2\")\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"alertRuleTemplateName": "67b9ff50-5393-49d5-b66f-05b33e2f35d2",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "\nSummary: {{summary_s}} \nAdditional info: {{details_s}}\nPlease investigate further on Theom UI at {{deepLink_s}}\n",
"alertDisplayNameFormat": "Theom Alert ID: {{id_s}} "
},
"customDetails": null,
"entityMappings": null,
"templateVersion": "1.0.0",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0033_Least_priv_large_value_shadow_DB.yaml",
"status": "Available"
}
}
]
}