let ResolvedAlerts = PaloAltoPrismaCloud
| summarize result = make_set(Status) by AlertId
| where result has 'resolved'
| project AlertId;
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where AlertSeverity =~ 'high'
| where Status =~ 'open'
| where AlertId !in (ResolvedAlerts)
| extend alert_time = now() - TimeGenerated
| where alert_time > 1d
| extend ['Opened Days'] = strcat('Alert opened for ', strcat(toint(alert_time / 1d), ' days'))
| distinct AlertId, AlertMessage, AlertSeverity, ['Opened Days'], ResourceId, UserName
| extend AccountCustomEntity = UserName
relevantTechniques:
- T1133
queryFrequency: 1d
description: |
'Detects high severity alert which is opened for several days.'
severity: Medium
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
entityType: Account
triggerThreshold: 0
tactics:
- InitialAccess
requiredDataConnectors:
- dataTypes:
- PaloAltoPrismaCloud
connectorId: PaloAltoPrismaCloud
queryPeriod: 14d
id: c5bf680f-fa37-47c3-9f38-e839a9b99c05
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml
query: |
let ResolvedAlerts = PaloAltoPrismaCloud
| summarize result = make_set(Status) by AlertId
| where result has 'resolved'
| project AlertId;
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where AlertSeverity =~ 'high'
| where Status =~ 'open'
| where AlertId !in (ResolvedAlerts)
| extend alert_time = now() - TimeGenerated
| where alert_time > 1d
| extend ['Opened Days'] = strcat('Alert opened for ', strcat(toint(alert_time / 1d), ' days'))
| distinct AlertId, AlertMessage, AlertSeverity, ['Opened Days'], ResourceId, UserName
| extend AccountCustomEntity = UserName
name: Palo Alto Prisma Cloud - High severity alert opened for several days
version: 1.0.2
kind: Scheduled
status: Available
