Guardian- Regex Policy Violation Detection

Back


Id	d9ad323f-6115-4f19-9e81-feabceeb6730
Rulename	Guardian- Regex Policy Violation Detection
Description	This alert creates an incident when Regex Policy Violation detected from the Guardian.
Severity	Low
Required data connectors	BoschAIShield
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield AI Security Monitoring/Analytic Rules/RegexVulDetection.yaml
Version	1.0.0
Arm template	d9ad323f-6115-4f19-9e81-feabceeb6730.json

KQL

Guardian
| where PolicyViolatedControlFeature =~ 'Regex'
| where Severity =~ 'Low'

YAML

status: Available
queryFrequency: 1h
id: d9ad323f-6115-4f19-9e81-feabceeb6730
tactics: []
entityMappings:
- fieldMappings:
  - columnName: HostName
    identifier: HostName
  - columnName: NTDomain
    identifier: NTDomain
  entityType: Host
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
requiredDataConnectors:
- connectorId: BoschAIShield
  dataTypes:
  - Guardian
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield AI Security Monitoring/Analytic Rules/RegexVulDetection.yaml
alertDetailsOverride:
  alertDisplayNameFormat: Guardian- Regex Policy Violation detection
  alertSeverityColumnName: Severity
  alertTacticsColumnName: 
  alertDescriptionFormat: |
        This query detects Regex Policy Violation detected from the Guardian generated at {{TimeGenerated}}.\n\nPlease check the source for more information and investigate further.
eventGroupingSettings:
  aggregationKind: SingleAlert
query: |
  Guardian
  | where PolicyViolatedControlFeature =~ 'Regex'
  | where Severity =~ 'Low'  
description: |
    'This alert creates an incident when Regex Policy Violation detected from the Guardian.'
relevantTechniques: []
triggerThreshold: 0
queryPeriod: 1h
triggerOperator: gt
name: Guardian- Regex Policy Violation Detection
severity: Low
kind: Scheduled
version: 1.0.0

ARM