Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

NetworkSecurityGroups Alert From Prancer

Back
Ida8babf91-b844-477c-8abf-d31e3df74933
RulenameNetworkSecurityGroups Alert From Prancer
DescriptionHigh severity network security groups alerts found by Prancer.
SeverityHigh
TacticsReconnaissance
TechniquesT1595
Required data connectorsPrancerLogData
KindScheduled
Query frequency5h
Query period5h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Prancer PenSuiteAI Integration/Analytic Rules/Network_Security_Groups_High_Severity.yaml
Version1.0.2
Arm templatea8babf91-b844-477c-8abf-d31e3df74933.json
Deploy To Azure
union prancer_CL
| where deviceProduct_s == 'azure'
| where parse_json(data_data_snapshots_s)[0].type == 'Microsoft.Network/networkSecurityGroups' //and parse_json(data_data_snapshots_s)[0].region != ''
| where data_data_severity_s == 'High' and data_data_result_s == 'failed'
| extend snapshot = parse_json(data_data_snapshots_s)
| mv-expand snapshot 
| extend
    id = tostring(snapshot.id),
    structure = tostring(snapshot.structure),
    reference = tostring(snapshot.reference),
    source = tostring(snapshot.source),
    collection = tostring(snapshot.collection),
    type = tostring(snapshot.type),
    region = tostring(snapshot.region),
    resourceTypes = tostring(snapshot.resourceTypes),
    path = tostring(snapshot.path)
relevantTechniques:
- T1595
name: NetworkSecurityGroups Alert From Prancer
requiredDataConnectors:
- dataTypes:
  - prancer_CL
  connectorId: PrancerLogData
entityMappings:
- fieldMappings:
  - identifier: ResourceId
    columnName: path
  entityType: AzureResource
triggerThreshold: 0
id: a8babf91-b844-477c-8abf-d31e3df74933
tactics:
- Reconnaissance
version: 1.0.2
customDetails: 
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: RemediationSteps
    value: data_data_remediation_description_s
  alertDisplayNameFormat: '{{data_data_message_s}}'
  alertSeverityColumnName: '{{data_data_severity_s}}'
  alertDescriptionFormat: '{{data_data_description_s}}'
queryPeriod: 5h
kind: Scheduled
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Prancer PenSuiteAI Integration/Analytic Rules/Network_Security_Groups_High_Severity.yaml
queryFrequency: 5h
severity: High
status: Available
description: |
    'High severity network security groups alerts found by Prancer.'
query: |
  union prancer_CL
  | where deviceProduct_s == 'azure'
  | where parse_json(data_data_snapshots_s)[0].type == 'Microsoft.Network/networkSecurityGroups' //and parse_json(data_data_snapshots_s)[0].region != ''
  | where data_data_severity_s == 'High' and data_data_result_s == 'failed'
  | extend snapshot = parse_json(data_data_snapshots_s)
  | mv-expand snapshot 
  | extend
      id = tostring(snapshot.id),
      structure = tostring(snapshot.structure),
      reference = tostring(snapshot.reference),
      source = tostring(snapshot.source),
      collection = tostring(snapshot.collection),
      type = tostring(snapshot.type),
      region = tostring(snapshot.region),
      resourceTypes = tostring(snapshot.resourceTypes),
      path = tostring(snapshot.path)  
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a8babf91-b844-477c-8abf-d31e3df74933')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a8babf91-b844-477c-8abf-d31e3df74933')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{data_data_description_s}}",
          "alertDisplayNameFormat": "{{data_data_message_s}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "RemediationSteps",
              "value": "data_data_remediation_description_s"
            }
          ],
          "alertSeverityColumnName": "{{data_data_severity_s}}"
        },
        "alertRuleTemplateName": "a8babf91-b844-477c-8abf-d31e3df74933",
        "customDetails": null,
        "description": "'High severity network security groups alerts found by Prancer.'\n",
        "displayName": "NetworkSecurityGroups Alert From Prancer",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "path",
                "identifier": "ResourceId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Prancer PenSuiteAI Integration/Analytic Rules/Network_Security_Groups_High_Severity.yaml",
        "query": "union prancer_CL\n| where deviceProduct_s == 'azure'\n| where parse_json(data_data_snapshots_s)[0].type == 'Microsoft.Network/networkSecurityGroups' //and parse_json(data_data_snapshots_s)[0].region != ''\n| where data_data_severity_s == 'High' and data_data_result_s == 'failed'\n| extend snapshot = parse_json(data_data_snapshots_s)\n| mv-expand snapshot \n| extend\n    id = tostring(snapshot.id),\n    structure = tostring(snapshot.structure),\n    reference = tostring(snapshot.reference),\n    source = tostring(snapshot.source),\n    collection = tostring(snapshot.collection),\n    type = tostring(snapshot.type),\n    region = tostring(snapshot.region),\n    resourceTypes = tostring(snapshot.resourceTypes),\n    path = tostring(snapshot.path)\n",
        "queryFrequency": "PT5H",
        "queryPeriod": "PT5H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Reconnaissance"
        ],
        "techniques": [
          "T1595"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}