Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Palo Alto Prisma Cloud - High severity alert opened for several days

Back
Idc5bf680f-fa37-47c3-9f38-e839a9b99c05
RulenamePalo Alto Prisma Cloud - High severity alert opened for several days
DescriptionDetects high severity alert which is opened for several days.
SeverityMedium
TacticsInitialAccess
TechniquesT1133
Required data connectorsPaloAltoPrismaCloud
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml
Version1.0.2
Arm templatec5bf680f-fa37-47c3-9f38-e839a9b99c05.json
Deploy To Azure
let ResolvedAlerts = PaloAltoPrismaCloud
| summarize result = make_set(Status) by AlertId
| where result has 'resolved'
| project AlertId;
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where AlertSeverity =~ 'high' 
| where Status =~ 'open'
| where AlertId !in (ResolvedAlerts)
| extend alert_time = now() - TimeGenerated
| where alert_time > 1d
| extend ['Opened Days'] = strcat('Alert opened for ', strcat(toint(alert_time / 1d), ' days'))
| distinct AlertId, AlertMessage, AlertSeverity, ['Opened Days'], ResourceId, UserName
| extend AccountCustomEntity = UserName
status: Available
id: c5bf680f-fa37-47c3-9f38-e839a9b99c05
query: |
  let ResolvedAlerts = PaloAltoPrismaCloud
  | summarize result = make_set(Status) by AlertId
  | where result has 'resolved'
  | project AlertId;
  PaloAltoPrismaCloud
  | where Reason =~ 'NEW_ALERT'
  | where AlertSeverity =~ 'high' 
  | where Status =~ 'open'
  | where AlertId !in (ResolvedAlerts)
  | extend alert_time = now() - TimeGenerated
  | where alert_time > 1d
  | extend ['Opened Days'] = strcat('Alert opened for ', strcat(toint(alert_time / 1d), ' days'))
  | distinct AlertId, AlertMessage, AlertSeverity, ['Opened Days'], ResourceId, UserName
  | extend AccountCustomEntity = UserName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml
description: |
    'Detects high severity alert which is opened for several days.'
name: Palo Alto Prisma Cloud - High severity alert opened for several days
relevantTechniques:
- T1133
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- dataTypes:
  - PaloAltoPrismaCloud
  connectorId: PaloAltoPrismaCloud
queryFrequency: 1d
queryPeriod: 14d
version: 1.0.2
kind: Scheduled
tactics:
- InitialAccess
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c5bf680f-fa37-47c3-9f38-e839a9b99c05')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c5bf680f-fa37-47c3-9f38-e839a9b99c05')]",
      "properties": {
        "alertRuleTemplateName": "c5bf680f-fa37-47c3-9f38-e839a9b99c05",
        "customDetails": null,
        "description": "'Detects high severity alert which is opened for several days.'\n",
        "displayName": "Palo Alto Prisma Cloud - High severity alert opened for several days",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml",
        "query": "let ResolvedAlerts = PaloAltoPrismaCloud\n| summarize result = make_set(Status) by AlertId\n| where result has 'resolved'\n| project AlertId;\nPaloAltoPrismaCloud\n| where Reason =~ 'NEW_ALERT'\n| where AlertSeverity =~ 'high' \n| where Status =~ 'open'\n| where AlertId !in (ResolvedAlerts)\n| extend alert_time = now() - TimeGenerated\n| where alert_time > 1d\n| extend ['Opened Days'] = strcat('Alert opened for ', strcat(toint(alert_time / 1d), ' days'))\n| distinct AlertId, AlertMessage, AlertSeverity, ['Opened Days'], ResourceId, UserName\n| extend AccountCustomEntity = UserName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}