TheomAlerts_CL
| where customProps_RuleId_s == "TRIS0005" and (priority_s == "P1" or priority_s == "P2")
kind: Scheduled
triggerOperator: gt
queryFrequency: 5m
name: Theom - Unencrypted public data stores
alertDetailsOverride:
alertDescriptionFormat: |2
Summary: {{summary_s}}
Additional info: {{details_s}}
Please investigate further on Theom UI at {{deepLink_s}}
alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
status: Available
queryPeriod: 5m
id: 6b93d8b1-40cf-4973-adaa-6f240df21ff1
description: |
"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0005 (Theom has observed data stores that are both unencrypted and publicly accessible. Review if the data store and the data within should be publicly accessible. Additionally, encrypt the data at rest to comply with these CIS requirements)"
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0005_Unencrypted_public_data_stores.yaml
query: |
TheomAlerts_CL
| where customProps_RuleId_s == "TRIS0005" and (priority_s == "P1" or priority_s == "P2")
version: 1.0.0
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
requiredDataConnectors:
- connectorId: Theom
dataTypes:
- TheomAlerts_CL
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6b93d8b1-40cf-4973-adaa-6f240df21ff1')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6b93d8b1-40cf-4973-adaa-6f240df21ff1')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Theom - Unencrypted public data stores",
"description": "\"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0005 (Theom has observed data stores that are both unencrypted and publicly accessible. Review if the data store and the data within should be publicly accessible. Additionally, encrypt the data at rest to comply with these CIS requirements)\"\n",
"severity": "High",
"enabled": true,
"query": "TheomAlerts_CL\n | where customProps_RuleId_s == \"TRIS0005\" and (priority_s == \"P1\" or priority_s == \"P2\")\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"alertRuleTemplateName": "6b93d8b1-40cf-4973-adaa-6f240df21ff1",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Theom Alert ID: {{id_s}} ",
"alertDescriptionFormat": "\nSummary: {{summary_s}} \nAdditional info: {{details_s}}\nPlease investigate further on Theom UI at {{deepLink_s}}\n"
},
"customDetails": null,
"entityMappings": null,
"templateVersion": "1.0.0",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0005_Unencrypted_public_data_stores.yaml",
"status": "Available"
}
}
]
}