Theom High Risks

TheomAlerts_CL
 | where priority_s == "P2"

version: 1.0.2
description: |
    "Creates Microsoft Sentinel incidents for high risk Theom alerts."
queryPeriod: 5m
entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - columnName: customProps_AssetName_s
    identifier: Name
- entityType: URL
  fieldMappings:
  - columnName: deepLink_s
    identifier: Url
status: Available
id: 74b80987-0a62-448c-8779-47b02e17d3cf
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Exfiltration
- Impact
- Reconnaissance
alertDetailsOverride:
  alertDescriptionFormat: |2

    Summary: {{summary_s}}  
    Additional info: {{details_s}}
    Please investigate further on Theom UI at {{deepLink_s}}
  alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
name: Theom High Risks
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
triggerThreshold: 0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TheomRisksHigh.yaml
kind: Scheduled
relevantTechniques:
- T1592
- T1589
- T1070
- T1552
- T1619
- T1119
- T1560
- T1530
- T1213
- T1001
- T1041
- T1537
- T1485
- T1486
- T1565
query: |
  TheomAlerts_CL
   | where priority_s == "P2"  
severity: High
requiredDataConnectors:
- connectorId: Theom
  dataTypes:
  - TheomAlerts_CL