Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Sensitive Data Discovered in the Last 24 Hours - Customized

Back
Id79f296d9-e6e4-45dc-9ca7-1770955435fa
RulenameSensitive Data Discovered in the Last 24 Hours - Customized
DescriptionCustomized query used to identify specific classifications and parameters that have been discovered on assets in the last 24 hours by Microsoft Purview. By default, the query identifies Social Security Numbers detected, but the specific classification monitored along with other data fields can be adjusted. A list of supported Microsoft Purview classifications can be found here: https://docs.microsoft.com/azure/purview/supported-classifications
SeverityInformational
TacticsDiscovery
TechniquesT1087
Required data connectorsMicrosoftAzurePurview
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Purview/Analytic Rules/MicrosoftPurviewSensitiveDataDiscoveredCustom.yaml
Version1.0.1
Arm template79f296d9-e6e4-45dc-9ca7-1770955435fa.json
Deploy To Azure
PurviewDataSensitivityLogs
| where Classification contains "Social Security Number"
//| where SourceRegion == "westeurope"
//| where SourceType contains "Amazon"
| where TimeGenerated > ago(24h)
requiredDataConnectors:
- connectorId: MicrosoftAzurePurview
  dataTypes:
  - PurviewDataSensitivityLogs
relevantTechniques:
- T1087
queryFrequency: 1d
id: 79f296d9-e6e4-45dc-9ca7-1770955435fa
customDetails:
  PurviewAccount: PurviewAccountName
  LastScanTime: AssetLastScanTime
  AssetName: AssetName
  Classification: Classification
  SourceRegion: SourceRegion
  AssetPath: AssetPath
name: Sensitive Data Discovered in the Last 24 Hours - Customized
severity: Informational
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Purview/Analytic Rules/MicrosoftPurviewSensitiveDataDiscoveredCustom.yaml
queryPeriod: 1d
entityMappings:
- fieldMappings:
  - columnName: SourcePath
    identifier: ResourceId
  entityType: AzureResource
- fieldMappings:
  - columnName: AssetName
    identifier: Name
  entityType: File
- fieldMappings:
  - columnName: PurviewAccountName
    identifier: Name
  entityType: Account
description: |
    'Customized query used to identify specific classifications and parameters that have been discovered on assets in the last 24 hours by Microsoft Purview. By default, the query identifies Social Security Numbers detected, but the specific classification monitored along with other data fields can be adjusted. A list of supported Microsoft Purview classifications can be found here: https://docs.microsoft.com/azure/purview/supported-classifications'
triggerThreshold: 0
tactics:
- Discovery
query: |
  PurviewDataSensitivityLogs
  | where Classification contains "Social Security Number"
  //| where SourceRegion == "westeurope"
  //| where SourceType contains "Amazon"
  | where TimeGenerated > ago(24h)  
kind: Scheduled
triggerOperator: gt
alertDetailsOverride:
  alertDisplayNameFormat: Sensitive Data Discovered in the Last 24 Hours by Microsoft Purview
  alertDescriptionFormat: Within the last 24 hours, Microsoft Purview scanned assets that contained classifications. The classifications discovered include {{Classification}}.
version: 1.0.1
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/79f296d9-e6e4-45dc-9ca7-1770955435fa')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/79f296d9-e6e4-45dc-9ca7-1770955435fa')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Within the last 24 hours, Microsoft Purview scanned assets that contained classifications. The classifications discovered include {{Classification}}.",
          "alertDisplayNameFormat": "Sensitive Data Discovered in the Last 24 Hours by Microsoft Purview"
        },
        "alertRuleTemplateName": "79f296d9-e6e4-45dc-9ca7-1770955435fa",
        "customDetails": {
          "AssetName": "AssetName",
          "AssetPath": "AssetPath",
          "Classification": "Classification",
          "LastScanTime": "AssetLastScanTime",
          "PurviewAccount": "PurviewAccountName",
          "SourceRegion": "SourceRegion"
        },
        "description": "'Customized query used to identify specific classifications and parameters that have been discovered on assets in the last 24 hours by Microsoft Purview. By default, the query identifies Social Security Numbers detected, but the specific classification monitored along with other data fields can be adjusted. A list of supported Microsoft Purview classifications can be found here: https://docs.microsoft.com/azure/purview/supported-classifications'\n",
        "displayName": "Sensitive Data Discovered in the Last 24 Hours - Customized",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "SourcePath",
                "identifier": "ResourceId"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "AssetName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "PurviewAccountName",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Purview/Analytic Rules/MicrosoftPurviewSensitiveDataDiscoveredCustom.yaml",
        "query": "PurviewDataSensitivityLogs\n| where Classification contains \"Social Security Number\"\n//| where SourceRegion == \"westeurope\"\n//| where SourceType contains \"Amazon\"\n| where TimeGenerated > ago(24h)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Informational",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1087"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}