RecordedFutureIdentity_PlaybookAlertResults_CL
| where TimeGenerated >= now(-15m)
id: b1c2d3e4-5678-90ab-cdef-444444444444
triggerOperator: gt
entityMappings:
- fieldMappings:
- identifier: Name
columnName: panel_status_entity_name_s
entityType: Account
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 15m
alertDetailsOverride:
alertDynamicProperties: []
alertDisplayNameFormat: 'Identity Exposure: {{panel_status_entity_name_s}} with priority: {{panel_status_priority_s}}'
alertDescriptionFormat: |
_Recorded Future Identity Alert_
**Rule Name:** {{panel_status_alert_rule_name_s}}
**Alert ID:** {{playbook_alert_id_s}}
**Evidence Summary:** {{alert_description_s}}
Investigate this identity by searching in log analytics workspace for the Alert ID.
queryPeriod: 15m
status: Available
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 15m
groupByAlertDetails: []
reopenClosedIncident: false
matchingMethod: AllEntities
groupByCustomDetails: []
groupByEntities:
- Account
enabled: true
createIncident: true
query: |
RecordedFutureIdentity_PlaybookAlertResults_CL
| where TimeGenerated >= now(-15m)
name: Recorded Future Identity - Credential Exposure Detected
kind: NRT
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded Future Identity/Analytic Rules/IncidentCreation/RecordedFutureIdentityExposure.yaml
tactics:
- CredentialAccess
severity: High
relevantTechniques: []
triggerThreshold: 0
version: 1.0.0
description: |
'Creates incidents when Recorded Future Identity detects compromised credentials for users in your organization'
customDetails:
AlertId: playbook_alert_id_s
RFLabel: Type
