Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Virtual Machines Alerts for Prancer

Back
Idc13b025c-ea31-4e4b-8e08-955b8fa91fa0
RulenameVirtual Machines Alerts for Prancer
DescriptionHigh severity virtual machine alerts found by Prancer.
SeverityHigh
TacticsReconnaissance
TechniquesT1595
Required data connectorsPrancerLogData
KindScheduled
Query frequency5h
Query period5h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Prancer PenSuiteAI Integration/Analytic Rules/VM_High_Severity.yaml
Version1.0.2
Arm templatec13b025c-ea31-4e4b-8e08-955b8fa91fa0.json
Deploy To Azure
union prancer_CL
| where deviceProduct_s == 'azure'
| where parse_json(data_data_snapshots_s)[0].type == 'Microsoft.Compute/virtualMachines'
| where data_data_severity_s == 'High' and data_data_result_s == 'failed'
| extend snapshot = parse_json(data_data_snapshots_s)
| mv-expand snapshot 
| extend
    id = tostring(snapshot.id),
    structure = tostring(snapshot.structure),
    reference = tostring(snapshot.reference),
    source = tostring(snapshot.source),
    collection = tostring(snapshot.collection),
    type = tostring(snapshot.type),
    region = tostring(snapshot.region),
    resourceTypes = tostring(snapshot.resourceTypes),
    path = tostring(snapshot.path)
triggerOperator: gt
description: |
    'High severity virtual machine alerts found by Prancer.'
eventGroupingSettings:
  aggregationKind: SingleAlert
alertDetailsOverride:
  alertDescriptionFormat: '{{data_data_description_s}}'
  alertDisplayNameFormat: '{{data_data_message_s}}'
  alertSeverityColumnName: '{{data_data_severity_s}}'
  alertDynamicProperties:
  - alertProperty: RemediationSteps
    value: data_data_remediation_description_s
entityMappings:
- fieldMappings:
  - identifier: ResourceId
    columnName: path
  entityType: AzureResource
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Prancer PenSuiteAI Integration/Analytic Rules/VM_High_Severity.yaml
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - prancer_CL
  connectorId: PrancerLogData
tactics:
- Reconnaissance
relevantTechniques:
- T1595
query: |
  union prancer_CL
  | where deviceProduct_s == 'azure'
  | where parse_json(data_data_snapshots_s)[0].type == 'Microsoft.Compute/virtualMachines'
  | where data_data_severity_s == 'High' and data_data_result_s == 'failed'
  | extend snapshot = parse_json(data_data_snapshots_s)
  | mv-expand snapshot 
  | extend
      id = tostring(snapshot.id),
      structure = tostring(snapshot.structure),
      reference = tostring(snapshot.reference),
      source = tostring(snapshot.source),
      collection = tostring(snapshot.collection),
      type = tostring(snapshot.type),
      region = tostring(snapshot.region),
      resourceTypes = tostring(snapshot.resourceTypes),
      path = tostring(snapshot.path)  
id: c13b025c-ea31-4e4b-8e08-955b8fa91fa0
status: Available
customDetails: 
severity: High
name: Virtual Machines Alerts for Prancer
version: 1.0.2
queryFrequency: 5h
queryPeriod: 5h
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c13b025c-ea31-4e4b-8e08-955b8fa91fa0')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c13b025c-ea31-4e4b-8e08-955b8fa91fa0')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{data_data_description_s}}",
          "alertDisplayNameFormat": "{{data_data_message_s}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "RemediationSteps",
              "value": "data_data_remediation_description_s"
            }
          ],
          "alertSeverityColumnName": "{{data_data_severity_s}}"
        },
        "alertRuleTemplateName": "c13b025c-ea31-4e4b-8e08-955b8fa91fa0",
        "customDetails": null,
        "description": "'High severity virtual machine alerts found by Prancer.'\n",
        "displayName": "Virtual Machines Alerts for Prancer",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "path",
                "identifier": "ResourceId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Prancer PenSuiteAI Integration/Analytic Rules/VM_High_Severity.yaml",
        "query": "union prancer_CL\n| where deviceProduct_s == 'azure'\n| where parse_json(data_data_snapshots_s)[0].type == 'Microsoft.Compute/virtualMachines'\n| where data_data_severity_s == 'High' and data_data_result_s == 'failed'\n| extend snapshot = parse_json(data_data_snapshots_s)\n| mv-expand snapshot \n| extend\n    id = tostring(snapshot.id),\n    structure = tostring(snapshot.structure),\n    reference = tostring(snapshot.reference),\n    source = tostring(snapshot.source),\n    collection = tostring(snapshot.collection),\n    type = tostring(snapshot.type),\n    region = tostring(snapshot.region),\n    resourceTypes = tostring(snapshot.resourceTypes),\n    path = tostring(snapshot.path)\n",
        "queryFrequency": "PT5H",
        "queryPeriod": "PT5H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Reconnaissance"
        ],
        "techniques": [
          "T1595"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}