Theom High Risks

Back


Id	74b80987-0a62-448c-8779-47b02e17d3cf
Rulename	Theom High Risks
Description	“Creates Microsoft Sentinel incidents for high risk Theom alerts.”
Severity	High
Required data connectors	Theom
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TheomRisksHigh.yaml
Version	1.0.1
Arm template	74b80987-0a62-448c-8779-47b02e17d3cf.json

KQL

TheomAlerts_CL
 | where priority_s == "P2"

YAML

description: |
    "Creates Microsoft Sentinel incidents for high risk Theom alerts."
status: Available
queryPeriod: 5m
severity: High
alertDetailsOverride:
  alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
  alertDescriptionFormat: |2

    Summary: {{summary_s}}  
    Additional info: {{details_s}}
    Please investigate further on Theom UI at {{deepLink_s}}
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
version: 1.0.1
name: Theom High Risks
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
id: 74b80987-0a62-448c-8779-47b02e17d3cf
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TheomRisksHigh.yaml
entityMappings:
- fieldMappings:
  - columnName: customProps_AssetName_s
    identifier: Name
  entityType: CloudApplication
- fieldMappings:
  - columnName: deepLink_s
    identifier: Url
  entityType: URL
requiredDataConnectors:
- dataTypes:
  - TheomAlerts_CL
  connectorId: Theom
query: |
  TheomAlerts_CL
   | where priority_s == "P2"

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/74b80987-0a62-448c-8779-47b02e17d3cf')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/74b80987-0a62-448c-8779-47b02e17d3cf')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "\nSummary: {{summary_s}}  \nAdditional info: {{details_s}}\nPlease investigate further on Theom UI at {{deepLink_s}}\n",
          "alertDisplayNameFormat": "Theom Alert ID: {{id_s}} "
        },
        "alertRuleTemplateName": "74b80987-0a62-448c-8779-47b02e17d3cf",
        "customDetails": null,
        "description": "\"Creates Microsoft Sentinel incidents for high risk Theom alerts.\"\n",
        "displayName": "Theom High Risks",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "customProps_AssetName_s",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "deepLink_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TheomRisksHigh.yaml",
        "query": "TheomAlerts_CL\n | where priority_s == \"P2\"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}