Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. External Fabric Module XFM1 is unhealthy

External Fabric Module XFM1 is unhealthy

Back
Ida8130dcc-3617-41c0-a7ac-5f352bcfffaf
RulenameExternal Fabric Module XFM1 is unhealthy
DescriptionExternal Fabric Module XFM1 is unhealthy
SeverityHigh
TacticsExecution
TechniquesT0871
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pure Storage/Analytic Rules/FB-FabricModuleUnhealthy.yaml
Version1.0.0
Arm templatea8130dcc-3617-41c0-a7ac-5f352bcfffaf.json
Deploy To Azure
Syslog
| where SyslogMessage has "purity.alert"
| extend Message = replace_string(SyslogMessage, "#012", "\n")
| extend UTCTime = extract(@"UTC Time:\s*(\d{4}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2})\sUTC", 1, SyslogMessage)
| extend PureAlertID = extract(@"Alert ID: ([\w-]+)", 1, SyslogMessage)
| extend PureMessage = extract(@"\(Alert ID: [\w-]+\)\s(.*?)\s\[\d+\]", 1, SyslogMessage)
| extend PureSeverity = extract(@"\s(\w+)\s", 1, SyslogMessage)
| extend PureAlertState = extract(@"purity\.alert:\s\w+\s(\w+)", 1, SyslogMessage)
| extend PureObjectName = extract(@"\s(\S+):", 1, SyslogMessage)
| extend PureProcessID = extract(@"\[(\d+)\]", 1, SyslogMessage)
| extend PureAction = extract(@"Suggested Action:\s*(.*?)(?:\s*Knowledge Base Article:|$)", 1, SyslogMessage)
| extend PureUrl = extract(@"Knowledge Base Article:\s*(.*)", 1, SyslogMessage)
| project  PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl
| where PureMessage matches regex @"(External Fabric Module XFM1 is unhealthy)"

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pure Storage/Analytic Rules/FB-FabricModuleUnhealthy.yaml
query: |-
  Syslog
  | where SyslogMessage has "purity.alert"
  | extend Message = replace_string(SyslogMessage, "#012", "\n")
  | extend UTCTime = extract(@"UTC Time:\s*(\d{4}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2})\sUTC", 1, SyslogMessage)
  | extend PureAlertID = extract(@"Alert ID: ([\w-]+)", 1, SyslogMessage)
  | extend PureMessage = extract(@"\(Alert ID: [\w-]+\)\s(.*?)\s\[\d+\]", 1, SyslogMessage)
  | extend PureSeverity = extract(@"\s(\w+)\s", 1, SyslogMessage)
  | extend PureAlertState = extract(@"purity\.alert:\s\w+\s(\w+)", 1, SyslogMessage)
  | extend PureObjectName = extract(@"\s(\S+):", 1, SyslogMessage)
  | extend PureProcessID = extract(@"\[(\d+)\]", 1, SyslogMessage)
  | extend PureAction = extract(@"Suggested Action:\s*(.*?)(?:\s*Knowledge Base Article:|$)", 1, SyslogMessage)
  | extend PureUrl = extract(@"Knowledge Base Article:\s*(.*)", 1, SyslogMessage)
  | project  PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl
  | where PureMessage matches regex @"(External Fabric Module XFM1 is unhealthy)"  
eventGroupingSettings:
  aggregationKind: SingleAlert
tactics:
- Execution
incidentConfiguration:
  groupingConfiguration:
    groupByCustomDetails: []
    enabled: false
    matchingMethod: AllEntities
    groupByEntities: []
    lookbackDuration: 5h
    groupByAlertDetails: []
    reopenClosedIncident: false
  createIncident: true
kind: NRT
name: External Fabric Module XFM1 is unhealthy
relevantTechniques:
- T0871
severity: High
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: HostIP
  entityType: IP
description: External Fabric Module XFM1 is unhealthy
version: 1.0.0
suppressionEnabled: false
suppressionDuration: 5h
id: a8130dcc-3617-41c0-a7ac-5f352bcfffaf