RecordedFutureIdentity_PlaybookAlertResults_CL
| where TimeGenerated >= now(-15m)
relevantTechniques: []
entityMappings:
- entityType: Account
fieldMappings:
- columnName: panel_status_entity_name_s
identifier: Name
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.0
id: b1c2d3e4-5678-90ab-cdef-444444444444
severity: High
kind: NRT
queryFrequency: 15m
description: |
'Creates incidents when Recorded Future Identity detects compromised credentials for users in your organization'
triggerOperator: gt
name: Recorded Future Identity - Credential Exposure Detected
tactics:
- CredentialAccess
alertDetailsOverride:
alertDescriptionFormat: |
_Recorded Future Identity Alert_
**Rule Name:** {{panel_status_alert_rule_name_s}}
**Alert ID:** {{playbook_alert_id_s}}
**Evidence Summary:** {{alert_description_s}}
Investigate this identity by searching in log analytics workspace for the Alert ID.
alertDynamicProperties: []
alertDisplayNameFormat: 'Identity Exposure: {{panel_status_entity_name_s}} with priority: {{panel_status_priority_s}}'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future Identity/Analytic Rules/IncidentCreation/RecordedFutureIdentityExposure.yaml
triggerThreshold: 0
queryPeriod: 15m
query: |
RecordedFutureIdentity_PlaybookAlertResults_CL
| where TimeGenerated >= now(-15m)
status: Available
customDetails:
AlertId: playbook_alert_id_s
RFLabel: Type
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
groupByEntities:
- Account
groupByCustomDetails: []
groupByAlertDetails: []
reopenClosedIncident: false
enabled: true
lookbackDuration: 15m
