Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

New Sonrai Ticket

Back
Idbcc3362d-b6f9-4de0-b41c-707fafd5a416
RulenameNew Sonrai Ticket
DescriptionChecks for new Sonrai tickets.

It uses the action type to check if a ticket has been created
SeverityMedium
TacticsCollection
CommandAndControl
CredentialAccess
DefenseEvasion
Discovery
Execution
Exfiltration
Impact
InitialAccess
LateralMovement
Persistence
PrivilegeEscalation
TechniquesT1566
T1059
T1547
T1548
T1562
T1003
T1087
T1021
T1119
T1071
T1041
T1499
Required data connectorsSonraiDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiNewTicket.yaml
Version1.0.2
Arm templatebcc3362d-b6f9-4de0-b41c-707fafd5a416.json
Deploy To Azure
Sonrai_Tickets_CL
| where action_d == 1
queryPeriod: 5m
version: 1.0.2
requiredDataConnectors:
- connectorId: SonraiDataConnector
  dataTypes:
  - Sonrai_Tickets_CL
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiNewTicket.yaml
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Execution
- Exfiltration
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
triggerOperator: gt
alertDetailsOverride:
  alertDescriptionFormat: digest_ticketKeyDescription_s
  alertSeverityColumnName: digest_severityCategory_s
  alertDisplayNameFormat: New - {{digest_ticketSrn_s}} - {{digest_ticketKeyName_s}}
severity: Medium
name: New Sonrai Ticket
relevantTechniques:
- T1566
- T1059
- T1547
- T1548
- T1562
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
customDetails:
  ticketStatus: digest_status_s
  resourceLabel: digest_resourceLabel_s
  ticketOrg: digest_org_s
  ticketName: digest_title_s
  criticalResource: digest_criticalResourceName_s
  resourceType: digest_resourceType_s
query: |
  Sonrai_Tickets_CL
  | where action_d == 1  
queryFrequency: 5m
id: bcc3362d-b6f9-4de0-b41c-707fafd5a416
status: Available
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: digest_criticalResourceName_s
    identifier: Name
  entityType: CloudApplication
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
  'Checks for new Sonrai tickets. 
  It uses the action type to check if a ticket has been created'  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bcc3362d-b6f9-4de0-b41c-707fafd5a416')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bcc3362d-b6f9-4de0-b41c-707fafd5a416')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "digest_ticketKeyDescription_s",
          "alertDisplayNameFormat": "New - {{digest_ticketSrn_s}} - {{digest_ticketKeyName_s}}",
          "alertSeverityColumnName": "digest_severityCategory_s"
        },
        "alertRuleTemplateName": "bcc3362d-b6f9-4de0-b41c-707fafd5a416",
        "customDetails": {
          "criticalResource": "digest_criticalResourceName_s",
          "resourceLabel": "digest_resourceLabel_s",
          "resourceType": "digest_resourceType_s",
          "ticketName": "digest_title_s",
          "ticketOrg": "digest_org_s",
          "ticketStatus": "digest_status_s"
        },
        "description": "'Checks for new Sonrai tickets. \nIt uses the action type to check if a ticket has been created'\n",
        "displayName": "New Sonrai Ticket",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "digest_criticalResourceName_s",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiNewTicket.yaml",
        "query": "Sonrai_Tickets_CL\n| where action_d == 1\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "DefenseEvasion",
          "Discovery",
          "Execution",
          "Exfiltration",
          "Impact",
          "InitialAccess",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1041",
          "T1059",
          "T1071",
          "T1087",
          "T1119",
          "T1499",
          "T1547",
          "T1548",
          "T1562",
          "T1566"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}