TheomAlerts_CL
| where customProps_RuleId_s == "TRIS0005" and (priority_s == "P1" or priority_s == "P2")
queryFrequency: 5m
entityMappings:
severity: High
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0005_Unencrypted_public_data_stores.yaml
query: |
TheomAlerts_CL
| where customProps_RuleId_s == "TRIS0005" and (priority_s == "P1" or priority_s == "P2")
id: 6b93d8b1-40cf-4973-adaa-6f240df21ff1
triggerOperator: gt
version: 1.0.0
requiredDataConnectors:
- connectorId: Theom
dataTypes:
- TheomAlerts_CL
eventGroupingSettings:
aggregationKind: AlertPerResult
description: |
"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0005 (Theom has observed data stores that are both unencrypted and publicly accessible. Review if the data store and the data within should be publicly accessible. Additionally, encrypt the data at rest to comply with these CIS requirements)"
alertDetailsOverride:
alertDescriptionFormat: |2
Summary: {{summary_s}}
Additional info: {{details_s}}
Please investigate further on Theom UI at {{deepLink_s}}
alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
status: Available
name: Theom - Unencrypted public data stores
queryPeriod: 5m
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6b93d8b1-40cf-4973-adaa-6f240df21ff1')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6b93d8b1-40cf-4973-adaa-6f240df21ff1')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Theom - Unencrypted public data stores",
"description": "\"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0005 (Theom has observed data stores that are both unencrypted and publicly accessible. Review if the data store and the data within should be publicly accessible. Additionally, encrypt the data at rest to comply with these CIS requirements)\"\n",
"severity": "High",
"enabled": true,
"query": "TheomAlerts_CL\n | where customProps_RuleId_s == \"TRIS0005\" and (priority_s == \"P1\" or priority_s == \"P2\")\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"alertRuleTemplateName": "6b93d8b1-40cf-4973-adaa-6f240df21ff1",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "\nSummary: {{summary_s}} \nAdditional info: {{details_s}}\nPlease investigate further on Theom UI at {{deepLink_s}}\n",
"alertDisplayNameFormat": "Theom Alert ID: {{id_s}} "
},
"customDetails": null,
"entityMappings": null,
"templateVersion": "1.0.0",
"status": "Available",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0005_Unencrypted_public_data_stores.yaml"
}
}
]
}