RecordedFutureIdentity_PlaybookAlertResults_CL
| where TimeGenerated >= now(-15m)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: panel_status_entity_name_s
tactics:
- CredentialAccess
alertDetailsOverride:
alertDisplayNameFormat: 'Identity Exposure: {{panel_status_entity_name_s}} with priority: {{panel_status_priority_s}}'
alertDescriptionFormat: |
_Recorded Future Identity Alert_
**Rule Name:** {{panel_status_alert_rule_name_s}}
**Alert ID:** {{playbook_alert_id_s}}
**Evidence Summary:** {{alert_description_s}}
Investigate this identity by searching in log analytics workspace for the Alert ID.
alertDynamicProperties: []
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
groupByAlertDetails: []
lookbackDuration: 15m
groupByEntities:
- Account
groupByCustomDetails: []
enabled: true
matchingMethod: AllEntities
createIncident: true
id: b1c2d3e4-5678-90ab-cdef-444444444444
severity: High
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
customDetails:
RFLabel: Type
AlertId: playbook_alert_id_s
query: |
RecordedFutureIdentity_PlaybookAlertResults_CL
| where TimeGenerated >= now(-15m)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future Identity/Analytic Rules/IncidentCreation/RecordedFutureIdentityExposure.yaml
kind: NRT
queryPeriod: 15m
version: 1.0.0
name: Recorded Future Identity - Credential Exposure Detected
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques: []
description: |
'Creates incidents when Recorded Future Identity detects compromised credentials for users in your organization'
triggerOperator: gt
