Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Pure Controller Failed

Back
Idc317b007-84e7-4449-93f4-4444f6638fd0
RulenamePure Controller Failed
DescriptionDetect controller failure and take appropriate response action.
SeverityHigh
TacticsExecution
TechniquesT0871
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pure Storage/Analytic Rules/PureControllerFailed.yaml
Version1.0.0
Arm templatec317b007-84e7-4449-93f4-4444f6638fd0.json
Deploy To Azure
Syslog
| where SyslogMessage has "purity.alert"
| extend Message = replace_regex(SyslogMessage, "#012", "\n")
| extend ParsedLog = extract_all(@"((?P<process>.*?)\[(?P<processid>.*?)\]:\s(?P<object>.*)\[(?P<responsecode>\w+)\][\s\S]*Severity:\s*(?P<severity>\S+)\s*(Tag:\s*(?P<reason>\S+))?\s*UTC([\s\S]*)Array Name:\s*(?P<objectname>\S+)\s*Domain:\s*(?P<domainorigin>\S+)\s*(?P<part2log>[\s\S]*))", dynamic(['process','processid','object','objectname','responsecode','severity','reason','domainorigin','part2log']), Message)
| mv-expand ParsedLog
| extend ResidueLog = tostring(ParsedLog[8])
| extend Rlog = extract_all(@"(((Suggested Action:\s*(?P<action>[\s\S]*)\s*Knowledge Base Article:\s*(?P<url>.*))|(Knowledge Base Article:\s*(?P<url>.*)\s*Suggested Action:\s*(?P<action>.*)\s*)|(Suggested Action:\s*(?P<action>[\s\S]*)))(([\s\S]*)Purity Version:\s*(?P<pversion>.*))?\s*([\s\S]*)Variables: \(below\)\s*(?P<subject>[\s\S]*))", dynamic(['action','url','pversion','subject']),ResidueLog)
| mv-expand Rlog
| extend PureLogType = ParsedLog[0], PureProcessID = ParsedLog[1], PureObject = ParsedLog[2], PureCode = ParsedLog[4], PureSeverity = ParsedLog[5], PureReason = ParsedLog[6], PureObjectName = ParsedLog[3], PureDomainOrigin = ParsedLog[7], PureAction = Rlog[0], PureUrl = Rlog[1], PureVersion = Rlog[2], PureMessage = Rlog[3]
| project-away ResidueLog, Rlog, ParsedLog
| where PureObject matches regex @"(Controllers ct[0-9] have failed)"
name: Pure Controller Failed
alertDetailsOverride:
  alertDynamicProperties: []
severity: High
suppressionEnabled: false
relevantTechniques:
- T0871
version: 1.0.0
description: Detect controller failure and take appropriate response action.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pure Storage/Analytic Rules/PureControllerFailed.yaml
query: |-
  Syslog
  | where SyslogMessage has "purity.alert"
  | extend Message = replace_regex(SyslogMessage, "#012", "\n")
  | extend ParsedLog = extract_all(@"((?P<process>.*?)\[(?P<processid>.*?)\]:\s(?P<object>.*)\[(?P<responsecode>\w+)\][\s\S]*Severity:\s*(?P<severity>\S+)\s*(Tag:\s*(?P<reason>\S+))?\s*UTC([\s\S]*)Array Name:\s*(?P<objectname>\S+)\s*Domain:\s*(?P<domainorigin>\S+)\s*(?P<part2log>[\s\S]*))", dynamic(['process','processid','object','objectname','responsecode','severity','reason','domainorigin','part2log']), Message)
  | mv-expand ParsedLog
  | extend ResidueLog = tostring(ParsedLog[8])
  | extend Rlog = extract_all(@"(((Suggested Action:\s*(?P<action>[\s\S]*)\s*Knowledge Base Article:\s*(?P<url>.*))|(Knowledge Base Article:\s*(?P<url>.*)\s*Suggested Action:\s*(?P<action>.*)\s*)|(Suggested Action:\s*(?P<action>[\s\S]*)))(([\s\S]*)Purity Version:\s*(?P<pversion>.*))?\s*([\s\S]*)Variables: \(below\)\s*(?P<subject>[\s\S]*))", dynamic(['action','url','pversion','subject']),ResidueLog)
  | mv-expand Rlog
  | extend PureLogType = ParsedLog[0], PureProcessID = ParsedLog[1], PureObject = ParsedLog[2], PureCode = ParsedLog[4], PureSeverity = ParsedLog[5], PureReason = ParsedLog[6], PureObjectName = ParsedLog[3], PureDomainOrigin = ParsedLog[7], PureAction = Rlog[0], PureUrl = Rlog[1], PureVersion = Rlog[2], PureMessage = Rlog[3]
  | project-away ResidueLog, Rlog, ParsedLog
  | where PureObject matches regex @"(Controllers ct[0-9] have failed)"  
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: HostIP
  entityType: IP
tactics:
- Execution
suppressionDuration: 5h
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    enabled: false
    groupByEntities: []
    reopenClosedIncident: false
    groupByAlertDetails: []
    groupByCustomDetails: []
kind: NRT
eventGroupingSettings:
  aggregationKind: SingleAlert
id: c317b007-84e7-4449-93f4-4444f6638fd0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c317b007-84e7-4449-93f4-4444f6638fd0')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c317b007-84e7-4449-93f4-4444f6638fd0')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDynamicProperties": []
        },
        "alertRuleTemplateName": "c317b007-84e7-4449-93f4-4444f6638fd0",
        "customDetails": null,
        "description": "Detect controller failure and take appropriate response action.",
        "displayName": "Pure Controller Failed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "HostIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pure Storage/Analytic Rules/PureControllerFailed.yaml",
        "query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_regex(SyslogMessage, \"#012\", \"\\n\")\n| extend ParsedLog = extract_all(@\"((?P<process>.*?)\\[(?P<processid>.*?)\\]:\\s(?P<object>.*)\\[(?P<responsecode>\\w+)\\][\\s\\S]*Severity:\\s*(?P<severity>\\S+)\\s*(Tag:\\s*(?P<reason>\\S+))?\\s*UTC([\\s\\S]*)Array Name:\\s*(?P<objectname>\\S+)\\s*Domain:\\s*(?P<domainorigin>\\S+)\\s*(?P<part2log>[\\s\\S]*))\", dynamic(['process','processid','object','objectname','responsecode','severity','reason','domainorigin','part2log']), Message)\n| mv-expand ParsedLog\n| extend ResidueLog = tostring(ParsedLog[8])\n| extend Rlog = extract_all(@\"(((Suggested Action:\\s*(?P<action>[\\s\\S]*)\\s*Knowledge Base Article:\\s*(?P<url>.*))|(Knowledge Base Article:\\s*(?P<url>.*)\\s*Suggested Action:\\s*(?P<action>.*)\\s*)|(Suggested Action:\\s*(?P<action>[\\s\\S]*)))(([\\s\\S]*)Purity Version:\\s*(?P<pversion>.*))?\\s*([\\s\\S]*)Variables: \\(below\\)\\s*(?P<subject>[\\s\\S]*))\", dynamic(['action','url','pversion','subject']),ResidueLog)\n| mv-expand Rlog\n| extend PureLogType = ParsedLog[0], PureProcessID = ParsedLog[1], PureObject = ParsedLog[2], PureCode = ParsedLog[4], PureSeverity = ParsedLog[5], PureReason = ParsedLog[6], PureObjectName = ParsedLog[3], PureDomainOrigin = ParsedLog[7], PureAction = Rlog[0], PureUrl = Rlog[1], PureVersion = Rlog[2], PureMessage = Rlog[3]\n| project-away ResidueLog, Rlog, ParsedLog\n| where PureObject matches regex @\"(Controllers ct[0-9] have failed)\"",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": null,
        "templateVersion": "1.0.0"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}