New Sonrai Ticket

Back


Id	bcc3362d-b6f9-4de0-b41c-707fafd5a416
Rulename	New Sonrai Ticket
Description	Checks for new Sonrai tickets. It uses the action type to check if a ticket has been created
Severity	Medium
Tactics	Collection CommandAndControl CredentialAccess DefenseEvasion Discovery Execution Exfiltration Impact InitialAccess LateralMovement Persistence PrivilegeEscalation
Techniques	T1566 T1059 T1547 T1548 T1562 T1003 T1087 T1021 T1119 T1071 T1041 T1499
Required data connectors	SonraiDataConnector
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiNewTicket.yaml
Version	1.0.2
Arm template	bcc3362d-b6f9-4de0-b41c-707fafd5a416.json

KQL

Sonrai_Tickets_CL
| where action_d == 1

YAML

entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - columnName: digest_criticalResourceName_s
    identifier: Name
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Execution
- Exfiltration
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
triggerOperator: gt
description: |
  'Checks for new Sonrai tickets. 
  It uses the action type to check if a ticket has been created'  
requiredDataConnectors:
- connectorId: SonraiDataConnector
  dataTypes:
  - Sonrai_Tickets_CL
relevantTechniques:
- T1566
- T1059
- T1547
- T1548
- T1562
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
version: 1.0.2
id: bcc3362d-b6f9-4de0-b41c-707fafd5a416
alertDetailsOverride:
  alertSeverityColumnName: digest_severityCategory_s
  alertDisplayNameFormat: New - {{digest_ticketSrn_s}} - {{digest_ticketKeyName_s}}
  alertDescriptionFormat: digest_ticketKeyDescription_s
customDetails:
  ticketOrg: digest_org_s
  ticketStatus: digest_status_s
  ticketName: digest_title_s
  resourceType: digest_resourceType_s
  resourceLabel: digest_resourceLabel_s
  criticalResource: digest_criticalResourceName_s
kind: Scheduled
query: |
  Sonrai_Tickets_CL
  | where action_d == 1  
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiNewTicket.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
severity: Medium
name: New Sonrai Ticket
queryPeriod: 5m

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bcc3362d-b6f9-4de0-b41c-707fafd5a416')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bcc3362d-b6f9-4de0-b41c-707fafd5a416')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "digest_ticketKeyDescription_s",
          "alertDisplayNameFormat": "New - {{digest_ticketSrn_s}} - {{digest_ticketKeyName_s}}",
          "alertSeverityColumnName": "digest_severityCategory_s"
        },
        "alertRuleTemplateName": "bcc3362d-b6f9-4de0-b41c-707fafd5a416",
        "customDetails": {
          "criticalResource": "digest_criticalResourceName_s",
          "resourceLabel": "digest_resourceLabel_s",
          "resourceType": "digest_resourceType_s",
          "ticketName": "digest_title_s",
          "ticketOrg": "digest_org_s",
          "ticketStatus": "digest_status_s"
        },
        "description": "'Checks for new Sonrai tickets. \nIt uses the action type to check if a ticket has been created'\n",
        "displayName": "New Sonrai Ticket",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "digest_criticalResourceName_s",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiNewTicket.yaml",
        "query": "Sonrai_Tickets_CL\n| where action_d == 1\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "DefenseEvasion",
          "Discovery",
          "Execution",
          "Exfiltration",
          "Impact",
          "InitialAccess",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1041",
          "T1059",
          "T1071",
          "T1087",
          "T1119",
          "T1499",
          "T1547",
          "T1548",
          "T1562",
          "T1566"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}