TheomAlerts_CL
| where customProps_RuleId_s == "TRIS0032" and (priority_s == "P1" or priority_s == "P2")
name: Theom - Least priv large value shadow DB
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |
TheomAlerts_CL
| where customProps_RuleId_s == "TRIS0032" and (priority_s == "P1" or priority_s == "P2")
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0033_Least_priv_large_value_shadow_DB.yaml
queryFrequency: 5m
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
- TheomAlerts_CL
connectorId: Theom
version: 1.0.0
status: Available
queryPeriod: 5m
id: 67b9ff50-5393-49d5-b66f-05b33e2f35d2
triggerOperator: gt
entityMappings:
alertDetailsOverride:
alertDescriptionFormat: |2
Summary: {{summary_s}}
Additional info: {{details_s}}
Please investigate further on Theom UI at {{deepLink_s}}
alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
severity: High
description: |
"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0032 (Theom has observed shadow (or clone) databases/tables that have a large financial value. Additionally, it has observed roles that are overprovisioned for these data stores. As per this requirement, use this information to apply data access control lists or access permissions and enforce data retention policies)"
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/67b9ff50-5393-49d5-b66f-05b33e2f35d2')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/67b9ff50-5393-49d5-b66f-05b33e2f35d2')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Theom - Least priv large value shadow DB",
"description": "\"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0032 (Theom has observed shadow (or clone) databases/tables that have a large financial value. Additionally, it has observed roles that are overprovisioned for these data stores. As per this requirement, use this information to apply data access control lists or access permissions and enforce data retention policies)\"\n",
"severity": "High",
"enabled": true,
"query": "TheomAlerts_CL\n | where customProps_RuleId_s == \"TRIS0032\" and (priority_s == \"P1\" or priority_s == \"P2\")\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"alertRuleTemplateName": "67b9ff50-5393-49d5-b66f-05b33e2f35d2",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Theom Alert ID: {{id_s}} ",
"alertDescriptionFormat": "\nSummary: {{summary_s}} \nAdditional info: {{details_s}}\nPlease investigate further on Theom UI at {{deepLink_s}}\n"
},
"customDetails": null,
"entityMappings": null,
"status": "Available",
"templateVersion": "1.0.0",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0033_Least_priv_large_value_shadow_DB.yaml"
}
}
]
}
