Theom Insights

TheomAlerts_CL
 | where priority_s == "P5"

entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: customProps_AssetName_s
  entityType: CloudApplication
- fieldMappings:
  - identifier: Url
    columnName: deepLink_s
  entityType: URL
kind: Scheduled
description: |
    "Creates Microsoft Sentinel incidents for Theom insight alerts."
queryPeriod: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Exfiltration
- Impact
- Reconnaissance
triggerOperator: gt
version: 1.0.2
requiredDataConnectors:
- connectorId: Theom
  dataTypes:
  - TheomAlerts_CL
id: d200da84-0191-44ce-ad9e-b85e64c84c89
name: Theom Insights
status: Available
query: |
  TheomAlerts_CL
   | where priority_s == "P5"  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TheomRisksInsights.yaml
severity: Low
alertDetailsOverride:
  alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
  alertDescriptionFormat: |2

    Summary: {{summary_s}}  
    Additional info: {{details_s}}
    Resource ID: {{customProps_AssetName_s}}
relevantTechniques:
- T1592
- T1589
- T1070
- T1552
- T1619
- T1119
- T1560
- T1530
- T1213
- T1001
- T1041
- T1537
- T1485
- T1486
- T1565
triggerThreshold: 0
queryFrequency: 5m