Guardian- Regex Policy Violation Detection

Back


Id	d9ad323f-6115-4f19-9e81-feabceeb6730
Rulename	Guardian- Regex Policy Violation Detection
Description	This alert creates an incident when Regex Policy Violation detected from the Guardian.
Severity	Low
Required data connectors	BoschAIShield
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield AI Security Monitoring/Analytic Rules/RegexVulDetection.yaml
Version	1.0.0
Arm template	d9ad323f-6115-4f19-9e81-feabceeb6730.json

KQL

Guardian
| where PolicyViolatedControlFeature =~ 'Regex'
| where Severity =~ 'Low'

YAML

alertDetailsOverride:
  alertTacticsColumnName: 
  alertSeverityColumnName: Severity
  alertDescriptionFormat: |
        This query detects Regex Policy Violation detected from the Guardian generated at {{TimeGenerated}}.\n\nPlease check the source for more information and investigate further.
  alertDisplayNameFormat: Guardian- Regex Policy Violation detection
relevantTechniques: []
name: Guardian- Regex Policy Violation Detection
queryFrequency: 1h
version: 1.0.0
triggerThreshold: 0
severity: Low
requiredDataConnectors:
- connectorId: BoschAIShield
  dataTypes:
  - Guardian
tactics: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield AI Security Monitoring/Analytic Rules/RegexVulDetection.yaml
query: |
  Guardian
  | where PolicyViolatedControlFeature =~ 'Regex'
  | where Severity =~ 'Low'  
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: HostName
    identifier: HostName
  - columnName: NTDomain
    identifier: NTDomain
  entityType: Host
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
queryPeriod: 1h
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: SingleAlert
id: d9ad323f-6115-4f19-9e81-feabceeb6730
status: Available
description: |
    'This alert creates an incident when Regex Policy Violation detected from the Guardian.'

ARM