External Fabric Module XFM1 is unhealthy
| Id | a8130dcc-3617-41c0-a7ac-5f352bcfffaf |
| Rulename | External Fabric Module XFM1 is unhealthy |
| Description | External Fabric Module XFM1 is unhealthy |
| Severity | High |
| Tactics | Execution |
| Techniques | T0871 |
| Kind | NRT |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pure Storage/Analytic Rules/FB-FabricModuleUnhealthy.yaml |
| Version | 1.0.0 |
| Arm template | a8130dcc-3617-41c0-a7ac-5f352bcfffaf.json |
Syslog
| where SyslogMessage has "purity.alert"
| extend Message = replace_string(SyslogMessage, "#012", "\n")
| extend UTCTime = extract(@"UTC Time:\s*(\d{4}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2})\sUTC", 1, SyslogMessage)
| extend PureAlertID = extract(@"Alert ID: ([\w-]+)", 1, SyslogMessage)
| extend PureMessage = extract(@"\(Alert ID: [\w-]+\)\s(.*?)\s\[\d+\]", 1, SyslogMessage)
| extend PureSeverity = extract(@"\s(\w+)\s", 1, SyslogMessage)
| extend PureAlertState = extract(@"purity\.alert:\s\w+\s(\w+)", 1, SyslogMessage)
| extend PureObjectName = extract(@"\s(\S+):", 1, SyslogMessage)
| extend PureProcessID = extract(@"\[(\d+)\]", 1, SyslogMessage)
| extend PureAction = extract(@"Suggested Action:\s*(.*?)(?:\s*Knowledge Base Article:|$)", 1, SyslogMessage)
| extend PureUrl = extract(@"Knowledge Base Article:\s*(.*)", 1, SyslogMessage)
| project PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl
| where PureMessage matches regex @"(External Fabric Module XFM1 is unhealthy)"
relevantTechniques:
- T0871
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 5h
groupByCustomDetails: []
groupByAlertDetails: []
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
groupByEntities: []
name: External Fabric Module XFM1 is unhealthy
entityMappings:
- fieldMappings:
- identifier: Address
columnName: HostIP
entityType: IP
query: |-
Syslog
| where SyslogMessage has "purity.alert"
| extend Message = replace_string(SyslogMessage, "#012", "\n")
| extend UTCTime = extract(@"UTC Time:\s*(\d{4}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2})\sUTC", 1, SyslogMessage)
| extend PureAlertID = extract(@"Alert ID: ([\w-]+)", 1, SyslogMessage)
| extend PureMessage = extract(@"\(Alert ID: [\w-]+\)\s(.*?)\s\[\d+\]", 1, SyslogMessage)
| extend PureSeverity = extract(@"\s(\w+)\s", 1, SyslogMessage)
| extend PureAlertState = extract(@"purity\.alert:\s\w+\s(\w+)", 1, SyslogMessage)
| extend PureObjectName = extract(@"\s(\S+):", 1, SyslogMessage)
| extend PureProcessID = extract(@"\[(\d+)\]", 1, SyslogMessage)
| extend PureAction = extract(@"Suggested Action:\s*(.*?)(?:\s*Knowledge Base Article:|$)", 1, SyslogMessage)
| extend PureUrl = extract(@"Knowledge Base Article:\s*(.*)", 1, SyslogMessage)
| project PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl
| where PureMessage matches regex @"(External Fabric Module XFM1 is unhealthy)"
id: a8130dcc-3617-41c0-a7ac-5f352bcfffaf
tactics:
- Execution
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pure Storage/Analytic Rules/FB-FabricModuleUnhealthy.yaml
kind: NRT
eventGroupingSettings:
aggregationKind: SingleAlert
suppressionDuration: 5h
severity: High
suppressionEnabled: false
description: External Fabric Module XFM1 is unhealthy
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a8130dcc-3617-41c0-a7ac-5f352bcfffaf')]",
"kind": "NRT",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a8130dcc-3617-41c0-a7ac-5f352bcfffaf')]",
"properties": {
"alertRuleTemplateName": "a8130dcc-3617-41c0-a7ac-5f352bcfffaf",
"customDetails": null,
"description": "External Fabric Module XFM1 is unhealthy",
"displayName": "External Fabric Module XFM1 is unhealthy",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "HostIP",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pure Storage/Analytic Rules/FB-FabricModuleUnhealthy.yaml",
"query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_string(SyslogMessage, \"#012\", \"\\n\")\n| extend UTCTime = extract(@\"UTC Time:\\s*(\\d{4}\\s\\w{3}\\s\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})\\sUTC\", 1, SyslogMessage)\n| extend PureAlertID = extract(@\"Alert ID: ([\\w-]+)\", 1, SyslogMessage)\n| extend PureMessage = extract(@\"\\(Alert ID: [\\w-]+\\)\\s(.*?)\\s\\[\\d+\\]\", 1, SyslogMessage)\n| extend PureSeverity = extract(@\"\\s(\\w+)\\s\", 1, SyslogMessage)\n| extend PureAlertState = extract(@\"purity\\.alert:\\s\\w+\\s(\\w+)\", 1, SyslogMessage)\n| extend PureObjectName = extract(@\"\\s(\\S+):\", 1, SyslogMessage)\n| extend PureProcessID = extract(@\"\\[(\\d+)\\]\", 1, SyslogMessage)\n| extend PureAction = extract(@\"Suggested Action:\\s*(.*?)(?:\\s*Knowledge Base Article:|$)\", 1, SyslogMessage)\n| extend PureUrl = extract(@\"Knowledge Base Article:\\s*(.*)\", 1, SyslogMessage)\n| project PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl\n| where PureMessage matches regex @\"(External Fabric Module XFM1 is unhealthy)\"",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Execution"
],
"techniques": null,
"templateVersion": "1.0.0"
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}