let ResolvedAlerts = PaloAltoPrismaCloud
| summarize result = make_set(Status) by AlertId
| where result has 'resolved'
| project AlertId;
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where AlertSeverity =~ 'high'
| where Status =~ 'open'
| where AlertId !in (ResolvedAlerts)
| extend alert_time = now() - TimeGenerated
| where alert_time > 1d
| extend ['Opened Days'] = strcat('Alert opened for ', strcat(toint(alert_time / 1d), ' days'))
| distinct AlertId, AlertMessage, AlertSeverity, ['Opened Days'], ResourceId, UserName
| extend AccountCustomEntity = UserName
query: |
let ResolvedAlerts = PaloAltoPrismaCloud
| summarize result = make_set(Status) by AlertId
| where result has 'resolved'
| project AlertId;
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where AlertSeverity =~ 'high'
| where Status =~ 'open'
| where AlertId !in (ResolvedAlerts)
| extend alert_time = now() - TimeGenerated
| where alert_time > 1d
| extend ['Opened Days'] = strcat('Alert opened for ', strcat(toint(alert_time / 1d), ' days'))
| distinct AlertId, AlertMessage, AlertSeverity, ['Opened Days'], ResourceId, UserName
| extend AccountCustomEntity = UserName
version: 1.0.2
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml
status: Available
description: |
'Detects high severity alert which is opened for several days.'
queryFrequency: 1d
name: Palo Alto Prisma Cloud - High severity alert opened for several days
kind: Scheduled
triggerThreshold: 0
id: c5bf680f-fa37-47c3-9f38-e839a9b99c05
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
dataTypes:
- PaloAltoPrismaCloud
severity: Medium
queryPeriod: 14d
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
entityType: Account
relevantTechniques:
- T1133
tactics:
- InitialAccess
