Sensitive Data Discovered in the Last 24 Hours - Customized
Id | 79f296d9-e6e4-45dc-9ca7-1770955435fa |
Rulename | Sensitive Data Discovered in the Last 24 Hours - Customized |
Description | Customized query used to identify specific classifications and parameters that have been discovered on assets in the last 24 hours by Microsoft Purview. By default, the query identifies Social Security Numbers detected, but the specific classification monitored along with other data fields can be adjusted. A list of supported Microsoft Purview classifications can be found here: https://docs.microsoft.com/azure/purview/supported-classifications |
Severity | Informational |
Tactics | Discovery |
Techniques | T1087 |
Required data connectors | MicrosoftAzurePurview |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Purview/Analytic Rules/MicrosoftPurviewSensitiveDataDiscoveredCustom.yaml |
Version | 1.0.1 |
Arm template | 79f296d9-e6e4-45dc-9ca7-1770955435fa.json |
PurviewDataSensitivityLogs
| where Classification contains "Social Security Number"
//| where SourceRegion == "westeurope"
//| where SourceType contains "Amazon"
| where TimeGenerated > ago(24h)
severity: Informational
relevantTechniques:
- T1087
requiredDataConnectors:
- dataTypes:
- PurviewDataSensitivityLogs
connectorId: MicrosoftAzurePurview
triggerThreshold: 0
description: |
'Customized query used to identify specific classifications and parameters that have been discovered on assets in the last 24 hours by Microsoft Purview. By default, the query identifies Social Security Numbers detected, but the specific classification monitored along with other data fields can be adjusted. A list of supported Microsoft Purview classifications can be found here: https://docs.microsoft.com/azure/purview/supported-classifications'
triggerOperator: gt
alertDetailsOverride:
alertDescriptionFormat: Within the last 24 hours, Microsoft Purview scanned assets that contained classifications. The classifications discovered include {{Classification}}.
alertDisplayNameFormat: Sensitive Data Discovered in the Last 24 Hours by Microsoft Purview
name: Sensitive Data Discovered in the Last 24 Hours - Customized
customDetails:
SourceRegion: SourceRegion
LastScanTime: AssetLastScanTime
AssetPath: AssetPath
AssetName: AssetName
Classification: Classification
PurviewAccount: PurviewAccountName
queryFrequency: 1d
version: 1.0.1
query: |
PurviewDataSensitivityLogs
| where Classification contains "Social Security Number"
//| where SourceRegion == "westeurope"
//| where SourceType contains "Amazon"
| where TimeGenerated > ago(24h)
entityMappings:
- entityType: AzureResource
fieldMappings:
- columnName: SourcePath
identifier: ResourceId
- entityType: File
fieldMappings:
- columnName: AssetName
identifier: Name
- entityType: Account
fieldMappings:
- columnName: PurviewAccountName
identifier: Name
tactics:
- Discovery
queryPeriod: 1d
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Purview/Analytic Rules/MicrosoftPurviewSensitiveDataDiscoveredCustom.yaml
id: 79f296d9-e6e4-45dc-9ca7-1770955435fa
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/79f296d9-e6e4-45dc-9ca7-1770955435fa')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/79f296d9-e6e4-45dc-9ca7-1770955435fa')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Within the last 24 hours, Microsoft Purview scanned assets that contained classifications. The classifications discovered include {{Classification}}.",
"alertDisplayNameFormat": "Sensitive Data Discovered in the Last 24 Hours by Microsoft Purview"
},
"alertRuleTemplateName": "79f296d9-e6e4-45dc-9ca7-1770955435fa",
"customDetails": {
"AssetName": "AssetName",
"AssetPath": "AssetPath",
"Classification": "Classification",
"LastScanTime": "AssetLastScanTime",
"PurviewAccount": "PurviewAccountName",
"SourceRegion": "SourceRegion"
},
"description": "'Customized query used to identify specific classifications and parameters that have been discovered on assets in the last 24 hours by Microsoft Purview. By default, the query identifies Social Security Numbers detected, but the specific classification monitored along with other data fields can be adjusted. A list of supported Microsoft Purview classifications can be found here: https://docs.microsoft.com/azure/purview/supported-classifications'\n",
"displayName": "Sensitive Data Discovered in the Last 24 Hours - Customized",
"enabled": true,
"entityMappings": [
{
"entityType": "AzureResource",
"fieldMappings": [
{
"columnName": "SourcePath",
"identifier": "ResourceId"
}
]
},
{
"entityType": "File",
"fieldMappings": [
{
"columnName": "AssetName",
"identifier": "Name"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "PurviewAccountName",
"identifier": "Name"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Purview/Analytic Rules/MicrosoftPurviewSensitiveDataDiscoveredCustom.yaml",
"query": "PurviewDataSensitivityLogs\n| where Classification contains \"Social Security Number\"\n//| where SourceRegion == \"westeurope\"\n//| where SourceType contains \"Amazon\"\n| where TimeGenerated > ago(24h)\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Informational",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1087"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}