Theom Critical Risks

TheomAlerts_CL
 | where priority_s == "P1"

name: Theom Critical Risks
queryPeriod: 5m
queryFrequency: 5m
kind: Scheduled
id: bb9051ef-0e72-4758-a143-80c25ee452f0
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
  - TheomAlerts_CL
  connectorId: Theom
triggerOperator: gt
description: |
    "Creates Microsoft Sentinel incidents for critical risk Theom alerts."
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TheomRisksCritical.yaml
status: Available
entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: customProps_AssetName_s
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: deepLink_s
triggerThreshold: 0
severity: High
version: 1.0.3
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Exfiltration
- Impact
- Reconnaissance
query: |
  TheomAlerts_CL
   | where priority_s == "P1"  
alertDetailsOverride:
  alertDescriptionFormat: |2

    Summary: {{summary_s}}  
    Additional info: {{details_s}}
    Please investigate further on Theom UI at {{deepLink_s}}
  alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
relevantTechniques:
- T1592
- T1589
- T1070
- T1552
- T1619
- T1119
- T1560
- T1530
- T1213
- T1001
- T1041
- T1537
- T1485
- T1486
- T1565