Sensitive Data Discovered in the Last 24 Hours - Customized
| Id | 79f296d9-e6e4-45dc-9ca7-1770955435fa |
| Rulename | Sensitive Data Discovered in the Last 24 Hours - Customized |
| Description | Customized query used to identify specific classifications and parameters that have been discovered on assets in the last 24 hours by Microsoft Purview. By default, the query identifies Social Security Numbers detected, but the specific classification monitored along with other data fields can be adjusted. A list of supported Microsoft Purview classifications can be found here: https://docs.microsoft.com/azure/purview/supported-classifications |
| Severity | Informational |
| Tactics | Discovery |
| Techniques | T1087 |
| Required data connectors | MicrosoftAzurePurview |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Purview/Analytic Rules/MicrosoftPurviewSensitiveDataDiscoveredCustom.yaml |
| Version | 1.0.1 |
| Arm template | 79f296d9-e6e4-45dc-9ca7-1770955435fa.json |
PurviewDataSensitivityLogs
| where Classification contains "Social Security Number"
//| where SourceRegion == "westeurope"
//| where SourceType contains "Amazon"
| where TimeGenerated > ago(24h)
requiredDataConnectors:
- connectorId: MicrosoftAzurePurview
dataTypes:
- PurviewDataSensitivityLogs
triggerOperator: gt
queryFrequency: 1d
name: Sensitive Data Discovered in the Last 24 Hours - Customized
alertDetailsOverride:
alertDescriptionFormat: Within the last 24 hours, Microsoft Purview scanned assets that contained classifications. The classifications discovered include {{Classification}}.
alertDisplayNameFormat: Sensitive Data Discovered in the Last 24 Hours by Microsoft Purview
queryPeriod: 1d
id: 79f296d9-e6e4-45dc-9ca7-1770955435fa
description: |
'Customized query used to identify specific classifications and parameters that have been discovered on assets in the last 24 hours by Microsoft Purview. By default, the query identifies Social Security Numbers detected, but the specific classification monitored along with other data fields can be adjusted. A list of supported Microsoft Purview classifications can be found here: https://docs.microsoft.com/azure/purview/supported-classifications'
severity: Informational
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Purview/Analytic Rules/MicrosoftPurviewSensitiveDataDiscoveredCustom.yaml
query: |
PurviewDataSensitivityLogs
| where Classification contains "Social Security Number"
//| where SourceRegion == "westeurope"
//| where SourceType contains "Amazon"
| where TimeGenerated > ago(24h)
version: 1.0.1
kind: Scheduled
customDetails:
LastScanTime: AssetLastScanTime
PurviewAccount: PurviewAccountName
AssetPath: AssetPath
AssetName: AssetName
SourceRegion: SourceRegion
Classification: Classification
entityMappings:
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: SourcePath
- entityType: File
fieldMappings:
- identifier: Name
columnName: AssetName
- entityType: Account
fieldMappings:
- identifier: Name
columnName: PurviewAccountName
relevantTechniques:
- T1087
tactics:
- Discovery
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/79f296d9-e6e4-45dc-9ca7-1770955435fa')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/79f296d9-e6e4-45dc-9ca7-1770955435fa')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Sensitive Data Discovered in the Last 24 Hours - Customized",
"description": "'Customized query used to identify specific classifications and parameters that have been discovered on assets in the last 24 hours by Microsoft Purview. By default, the query identifies Social Security Numbers detected, but the specific classification monitored along with other data fields can be adjusted. A list of supported Microsoft Purview classifications can be found here: https://docs.microsoft.com/azure/purview/supported-classifications'\n",
"severity": "Informational",
"enabled": true,
"query": "PurviewDataSensitivityLogs\n| where Classification contains \"Social Security Number\"\n//| where SourceRegion == \"westeurope\"\n//| where SourceType contains \"Amazon\"\n| where TimeGenerated > ago(24h)\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1087"
],
"alertRuleTemplateName": "79f296d9-e6e4-45dc-9ca7-1770955435fa",
"alertDetailsOverride": {
"alertDisplayNameFormat": "Sensitive Data Discovered in the Last 24 Hours by Microsoft Purview",
"alertDescriptionFormat": "Within the last 24 hours, Microsoft Purview scanned assets that contained classifications. The classifications discovered include {{Classification}}."
},
"customDetails": {
"SourceRegion": "SourceRegion",
"LastScanTime": "AssetLastScanTime",
"PurviewAccount": "PurviewAccountName",
"AssetName": "AssetName",
"AssetPath": "AssetPath",
"Classification": "Classification"
},
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "ResourceId",
"columnName": "SourcePath"
}
],
"entityType": "AzureResource"
},
{
"fieldMappings": [
{
"identifier": "Name",
"columnName": "AssetName"
}
],
"entityType": "File"
},
{
"fieldMappings": [
{
"identifier": "Name",
"columnName": "PurviewAccountName"
}
],
"entityType": "Account"
}
],
"templateVersion": "1.0.1",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Purview/Analytic Rules/MicrosoftPurviewSensitiveDataDiscoveredCustom.yaml"
}
}
]
}