Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

VirtualNetworkPeerings Alerts From Prancer

Back
Id6bd031cf-78d0-4edd-8191-60f84b6eef7a
RulenameVirtualNetworkPeerings Alerts From Prancer
DescriptionHigh severity virtual network peerings alerts found by Prancer.
SeverityHigh
TacticsReconnaissance
TechniquesT1595
Required data connectorsPrancerLogData
KindScheduled
Query frequency5h
Query period5h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Prancer PenSuiteAI Integration/Analytic Rules/Virtual_Networks_High_Severity.yaml
Version1.0.2
Arm template6bd031cf-78d0-4edd-8191-60f84b6eef7a.json
Deploy To Azure
union prancer_CL
| where deviceProduct_s == 'azure'
| where parse_json(data_data_snapshots_s)[0].type == 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings'
| where data_data_severity_s == 'High' and data_data_result_s == 'failed'
| extend snapshot = parse_json(data_data_snapshots_s)
| mv-expand snapshot 
| extend
    id = tostring(snapshot.id),
    structure = tostring(snapshot.structure),
    reference = tostring(snapshot.reference),
    source = tostring(snapshot.source),
    collection = tostring(snapshot.collection),
    type = tostring(snapshot.type),
    region = tostring(snapshot.region),
    resourceTypes = tostring(snapshot.resourceTypes),
    path = tostring(snapshot.path)
customDetails: 
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Prancer PenSuiteAI Integration/Analytic Rules/Virtual_Networks_High_Severity.yaml
version: 1.0.2
relevantTechniques:
- T1595
entityMappings:
- entityType: AzureResource
  fieldMappings:
  - identifier: ResourceId
    columnName: path
eventGroupingSettings:
  aggregationKind: SingleAlert
requiredDataConnectors:
- dataTypes:
  - prancer_CL
  connectorId: PrancerLogData
queryPeriod: 5h
status: Available
tactics:
- Reconnaissance
kind: Scheduled
triggerOperator: gt
query: |
  union prancer_CL
  | where deviceProduct_s == 'azure'
  | where parse_json(data_data_snapshots_s)[0].type == 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings'
  | where data_data_severity_s == 'High' and data_data_result_s == 'failed'
  | extend snapshot = parse_json(data_data_snapshots_s)
  | mv-expand snapshot 
  | extend
      id = tostring(snapshot.id),
      structure = tostring(snapshot.structure),
      reference = tostring(snapshot.reference),
      source = tostring(snapshot.source),
      collection = tostring(snapshot.collection),
      type = tostring(snapshot.type),
      region = tostring(snapshot.region),
      resourceTypes = tostring(snapshot.resourceTypes),
      path = tostring(snapshot.path)  
name: VirtualNetworkPeerings Alerts From Prancer
severity: High
alertDetailsOverride:
  alertDescriptionFormat: '{{data_data_description_s}}'
  alertDisplayNameFormat: '{{data_data_message_s}}'
  alertDynamicProperties:
  - alertProperty: RemediationSteps
    value: data_data_remediation_description_s
  alertSeverityColumnName: '{{data_data_severity_s}}'
id: 6bd031cf-78d0-4edd-8191-60f84b6eef7a
queryFrequency: 5h
description: |
    'High severity virtual network peerings alerts found by Prancer.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6bd031cf-78d0-4edd-8191-60f84b6eef7a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6bd031cf-78d0-4edd-8191-60f84b6eef7a')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{data_data_description_s}}",
          "alertDisplayNameFormat": "{{data_data_message_s}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "RemediationSteps",
              "value": "data_data_remediation_description_s"
            }
          ],
          "alertSeverityColumnName": "{{data_data_severity_s}}"
        },
        "alertRuleTemplateName": "6bd031cf-78d0-4edd-8191-60f84b6eef7a",
        "customDetails": null,
        "description": "'High severity virtual network peerings alerts found by Prancer.'\n",
        "displayName": "VirtualNetworkPeerings Alerts From Prancer",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "path",
                "identifier": "ResourceId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Prancer PenSuiteAI Integration/Analytic Rules/Virtual_Networks_High_Severity.yaml",
        "query": "union prancer_CL\n| where deviceProduct_s == 'azure'\n| where parse_json(data_data_snapshots_s)[0].type == 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings'\n| where data_data_severity_s == 'High' and data_data_result_s == 'failed'\n| extend snapshot = parse_json(data_data_snapshots_s)\n| mv-expand snapshot \n| extend\n    id = tostring(snapshot.id),\n    structure = tostring(snapshot.structure),\n    reference = tostring(snapshot.reference),\n    source = tostring(snapshot.source),\n    collection = tostring(snapshot.collection),\n    type = tostring(snapshot.type),\n    region = tostring(snapshot.region),\n    resourceTypes = tostring(snapshot.resourceTypes),\n    path = tostring(snapshot.path)\n",
        "queryFrequency": "PT5H",
        "queryPeriod": "PT5H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Reconnaissance"
        ],
        "techniques": [
          "T1595"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}