Sonrai Ticket Reopened

Back


Id	b60129ab-ce22-4b76-858d-3204932a13cc
Rulename	Sonrai Ticket Reopened
Description	Checks if Sonrai tickets have been reopened. It uses the action type to check if a ticket has been reopened
Severity	Medium
Tactics	Collection CommandAndControl CredentialAccess DefenseEvasion Discovery Execution Exfiltration Impact InitialAccess LateralMovement Persistence PrivilegeEscalation
Techniques	T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499
Required data connectors	SonraiDataConnector
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiTicketReopened.yaml
Version	1.0.2
Arm template	b60129ab-ce22-4b76-858d-3204932a13cc.json

KQL

Sonrai_Tickets_CL
| where action_d == 3

YAML

relevantTechniques:
- T1566
- T1059
- T1547
- T1548
- T1562
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
name: Sonrai Ticket Reopened
requiredDataConnectors:
- dataTypes:
  - Sonrai_Tickets_CL
  connectorId: SonraiDataConnector
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: digest_criticalResourceName_s
  entityType: CloudApplication
triggerThreshold: 0
id: b60129ab-ce22-4b76-858d-3204932a13cc
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Execution
- Exfiltration
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
version: 1.0.2
customDetails:
  criticalResource: digest_criticalResourceName_s
  ticketName: digest_title_s
  ticketStatus: digest_status_s
  resourceType: digest_resourceType_s
  ticketSeverity: digest_severityCategory_s
  reopenedDate: digest_lastReopenDate_d
  ticketOrg: digest_org_s
  resourceLabel: digest_resourceLabel_s
alertDetailsOverride:
  alertDisplayNameFormat: Reopened - {{digest_ticketSrn_s}} - {{digest_ticketKeyName_s}}
  alertSeverityColumnName: digest_severityCategory_s
  alertDescriptionFormat: digest_ticketKeyDescription_s
queryPeriod: 5m
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiTicketReopened.yaml
queryFrequency: 5m
severity: Medium
status: Available
description: |
  'Checks if Sonrai tickets have been reopened. 
  It uses the action type to check if a ticket has been reopened'  
query: |
  Sonrai_Tickets_CL
  | where action_d == 3  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b60129ab-ce22-4b76-858d-3204932a13cc')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b60129ab-ce22-4b76-858d-3204932a13cc')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "digest_ticketKeyDescription_s",
          "alertDisplayNameFormat": "Reopened - {{digest_ticketSrn_s}} - {{digest_ticketKeyName_s}}",
          "alertSeverityColumnName": "digest_severityCategory_s"
        },
        "alertRuleTemplateName": "b60129ab-ce22-4b76-858d-3204932a13cc",
        "customDetails": {
          "criticalResource": "digest_criticalResourceName_s",
          "reopenedDate": "digest_lastReopenDate_d",
          "resourceLabel": "digest_resourceLabel_s",
          "resourceType": "digest_resourceType_s",
          "ticketName": "digest_title_s",
          "ticketOrg": "digest_org_s",
          "ticketSeverity": "digest_severityCategory_s",
          "ticketStatus": "digest_status_s"
        },
        "description": "'Checks if Sonrai tickets have been reopened. \nIt uses the action type to check if a ticket has been reopened'\n",
        "displayName": "Sonrai Ticket Reopened",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "digest_criticalResourceName_s",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiTicketReopened.yaml",
        "query": "Sonrai_Tickets_CL\n| where action_d == 3\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "DefenseEvasion",
          "Discovery",
          "Execution",
          "Exfiltration",
          "Impact",
          "InitialAccess",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1041",
          "T1059",
          "T1071",
          "T1087",
          "T1119",
          "T1499",
          "T1547",
          "T1548",
          "T1562",
          "T1566"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}