Digital Shadows Incident Creation for include-app
| Id | ede3071d-9317-45f9-b36c-6a6effee5294 |
| Rulename | Digital Shadows Incident Creation for include-app |
| Description | Digital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for included classifications |
| Severity | Medium |
| Required data connectors | DigitalShadows |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 6m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Shadows/Analytic Rules/Digital_Shadows_incident_creation_include.yaml |
| Version | 1.0.1 |
| Arm template | ede3071d-9317-45f9-b36c-6a6effee5294.json |
let DSSearchLight_view = view () { DigitalShadows_CL | where app_s == "include" | extend EventVendor="Digital Shadows", EventProduct="SearchLight",Type="DigitalShadows_CL",EventStartTime=raised_t,EventMessage=title_s,EventOriginalUid=triage_id_g,EventOriginalType=classification_s | extend EventOriginalSeverity=iif(isempty(risk_level_s), risk_assessment_risk_level_s, risk_level_s) | extend EventSeverity = case(EventOriginalSeverity == 'none', 'Informational', EventOriginalSeverity == 'very-low', 'Low',EventOriginalSeverity == 'low', 'Low',EventOriginalSeverity == 'medium', 'Medium',EventOriginalSeverity == 'high', 'High',EventOriginalSeverity == 'very-high', 'High','Informational') | extend EventReportUrl=iif(isempty(id_d), strcat('https://portal-digitalshadows.com/triage/alerts/',portal_id_s),strcat('https://portal-digitalshadows.com/triage/alert-incidents/',id_d)) | extend AdditionalFields = pack("assets", assets_s, "comments", comments_s, "description", description_s, "incident_id", id_d, "alert_id", id_g, "short_code", portal_id_s, "impact", impact_description_s, "mitigation", mitigation_s, "risk_factors", risk_factors_s, "triage_status", status_s, "triage_id", triage_id_g, "triage_raised", triage_raised_time_t,"triage_updated", triage_updated_time_t, "updated", updated_t) | project TimeGenerated, EventVendor,EventProduct, Type, EventStartTime,EventMessage, EventOriginalUid, EventOriginalType,EventOriginalSeverity, EventSeverity, EventReportUrl,AdditionalFields};DSSearchLight_view | summarize arg_max(TimeGenerated, *) by EventOriginalUid | extend description = AdditionalFields.description | extend impact = AdditionalFields.impact | extend mitigation = AdditionalFields.mitigation | extend status = AdditionalFields.triage_status | extend comments = AdditionalFields.comments
version: 1.0.1
name: Digital Shadows Incident Creation for include-app
eventGroupingSettings:
aggregationKind: AlertPerResult
alertRuleTemplateName:
query: let DSSearchLight_view = view () { DigitalShadows_CL | where app_s == "include" | extend EventVendor="Digital Shadows", EventProduct="SearchLight",Type="DigitalShadows_CL",EventStartTime=raised_t,EventMessage=title_s,EventOriginalUid=triage_id_g,EventOriginalType=classification_s | extend EventOriginalSeverity=iif(isempty(risk_level_s), risk_assessment_risk_level_s, risk_level_s) | extend EventSeverity = case(EventOriginalSeverity == 'none', 'Informational', EventOriginalSeverity == 'very-low', 'Low',EventOriginalSeverity == 'low', 'Low',EventOriginalSeverity == 'medium', 'Medium',EventOriginalSeverity == 'high', 'High',EventOriginalSeverity == 'very-high', 'High','Informational') | extend EventReportUrl=iif(isempty(id_d), strcat('https://portal-digitalshadows.com/triage/alerts/',portal_id_s),strcat('https://portal-digitalshadows.com/triage/alert-incidents/',id_d)) | extend AdditionalFields = pack("assets", assets_s, "comments", comments_s, "description", description_s, "incident_id", id_d, "alert_id", id_g, "short_code", portal_id_s, "impact", impact_description_s, "mitigation", mitigation_s, "risk_factors", risk_factors_s, "triage_status", status_s, "triage_id", triage_id_g, "triage_raised", triage_raised_time_t,"triage_updated", triage_updated_time_t, "updated", updated_t) | project TimeGenerated, EventVendor,EventProduct, Type, EventStartTime,EventMessage, EventOriginalUid, EventOriginalType,EventOriginalSeverity, EventSeverity, EventReportUrl,AdditionalFields};DSSearchLight_view | summarize arg_max(TimeGenerated, *) by EventOriginalUid | extend description = AdditionalFields.description | extend impact = AdditionalFields.impact | extend mitigation = AdditionalFields.mitigation | extend status = AdditionalFields.triage_status | extend comments = AdditionalFields.comments
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Shadows/Analytic Rules/Digital_Shadows_incident_creation_include.yaml
queryFrequency: 5m
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
- DigitalShadows_CL
connectorId: DigitalShadows
enabled: true
techniques: []
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByCustomDetails:
- triage_id
groupByEntities: []
reopenClosedIncident: true
matchingMethod: Selected
lookbackDuration: 7d
enabled: true
groupByAlertDetails: []
queryPeriod: 6m
id: ede3071d-9317-45f9-b36c-6a6effee5294
triggerOperator: gt
entityMappings:
suppressionDuration: 5h
customDetails:
mitigation: mitigation
description: description
severity: EventOriginalSeverity
impact: impact
triage_id: EventOriginalUid
status: status
suppressionEnabled: false
relevantTechniques: []
alertDetailsOverride:
alertSeverityColumnName: EventSeverity
alertDescriptionFormat: |-
{{description}}
{{impact}}
{{mitigation}}
alertDisplayNameFormat: Digital Shadows - {{EventMessage}}
alertTacticsColumnName:
severity: Medium
description: Digital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for included classifications
kind: Scheduled
tactics: []
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ede3071d-9317-45f9-b36c-6a6effee5294')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ede3071d-9317-45f9-b36c-6a6effee5294')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Digital Shadows Incident Creation for include-app",
"description": "Digital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for included classifications",
"severity": "Medium",
"enabled": true,
"query": "let DSSearchLight_view = view () { DigitalShadows_CL | where app_s == \"include\" | extend EventVendor=\"Digital Shadows\", EventProduct=\"SearchLight\",Type=\"DigitalShadows_CL\",EventStartTime=raised_t,EventMessage=title_s,EventOriginalUid=triage_id_g,EventOriginalType=classification_s | extend EventOriginalSeverity=iif(isempty(risk_level_s), risk_assessment_risk_level_s, risk_level_s) | extend EventSeverity = case(EventOriginalSeverity == 'none', 'Informational', EventOriginalSeverity == 'very-low', 'Low',EventOriginalSeverity == 'low', 'Low',EventOriginalSeverity == 'medium', 'Medium',EventOriginalSeverity == 'high', 'High',EventOriginalSeverity == 'very-high', 'High','Informational') | extend EventReportUrl=iif(isempty(id_d), strcat('https://portal-digitalshadows.com/triage/alerts/',portal_id_s),strcat('https://portal-digitalshadows.com/triage/alert-incidents/',id_d)) | extend AdditionalFields = pack(\"assets\", assets_s, \"comments\", comments_s, \"description\", description_s, \"incident_id\", id_d, \"alert_id\", id_g, \"short_code\", portal_id_s, \"impact\", impact_description_s, \"mitigation\", mitigation_s, \"risk_factors\", risk_factors_s, \"triage_status\", status_s, \"triage_id\", triage_id_g, \"triage_raised\", triage_raised_time_t,\"triage_updated\", triage_updated_time_t, \"updated\", updated_t) | project TimeGenerated, EventVendor,EventProduct, Type, EventStartTime,EventMessage, EventOriginalUid, EventOriginalType,EventOriginalSeverity, EventSeverity, EventReportUrl,AdditionalFields};DSSearchLight_view | summarize arg_max(TimeGenerated, *) by EventOriginalUid | extend description = AdditionalFields.description | extend impact = AdditionalFields.impact | extend mitigation = AdditionalFields.mitigation | extend status = AdditionalFields.triage_status | extend comments = AdditionalFields.comments",
"queryFrequency": "PT5M",
"queryPeriod": "PT6M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [],
"techniques": [],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"groupingConfiguration": {
"groupByCustomDetails": [
"triage_id"
],
"groupByEntities": [],
"reopenClosedIncident": true,
"matchingMethod": "Selected",
"lookbackDuration": "P7D",
"enabled": true,
"groupByAlertDetails": []
},
"createIncident": true
},
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertSeverityColumnName": "EventSeverity",
"alertDescriptionFormat": "{{description}}\n\n{{impact}}\n\n{{mitigation}}",
"alertDisplayNameFormat": "Digital Shadows - {{EventMessage}}",
"alertTacticsColumnName": null
},
"customDetails": {
"mitigation": "mitigation",
"description": "description",
"severity": "EventOriginalSeverity",
"impact": "impact",
"triage_id": "EventOriginalUid",
"status": "status"
},
"entityMappings": null,
"templateVersion": "1.0.1",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Shadows/Analytic Rules/Digital_Shadows_incident_creation_include.yaml"
}
}
]
}