Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Digital Shadows Incident Creation for include-app

Back
Idede3071d-9317-45f9-b36c-6a6effee5294
RulenameDigital Shadows Incident Creation for include-app
DescriptionDigital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for included classifications
SeverityMedium
Required data connectorsDigitalShadows
KindScheduled
Query frequency5m
Query period6m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Shadows/Analytic Rules/Digital_Shadows_incident_creation_include.yaml
Version1.0.2
Arm templateede3071d-9317-45f9-b36c-6a6effee5294.json
Deploy To Azure
let DSSearchLight_view  = view () { DigitalShadows_CL | where app_s == "include" | extend EventVendor="Digital Shadows", EventProduct="SearchLight",Type="DigitalShadows_CL",EventStartTime=raised_t,EventMessage=title_s,EventOriginalUid=triage_id_g,EventOriginalType=classification_s | extend EventOriginalSeverity=iif(isempty(risk_level_s), risk_assessment_risk_level_s, risk_level_s) | extend EventSeverity = case(EventOriginalSeverity == 'none', 'Informational', EventOriginalSeverity == 'very-low', 'Low',EventOriginalSeverity == 'low', 'Low',EventOriginalSeverity == 'medium', 'Medium',EventOriginalSeverity == 'high', 'High',EventOriginalSeverity == 'very-high', 'High','Informational') | extend EventReportUrl=iif(isempty(id_d), strcat('https://portal-digitalshadows.com/triage/alerts/',portal_id_s),strcat('https://portal-digitalshadows.com/triage/alert-incidents/',id_d)) | extend AdditionalFields = pack("assets", assets_s, "comments", comments_s, "description", description_s, "incident_id", id_d, "alert_id", id_g, "short_code", portal_id_s, "impact", impact_description_s, "mitigation", mitigation_s, "risk_factors", risk_factors_s, "triage_status", status_s, "triage_id", triage_id_g, "triage_raised", triage_raised_time_t,"triage_updated", triage_updated_time_t, "updated", updated_t) | project TimeGenerated, EventVendor,EventProduct, Type, EventStartTime,EventMessage, EventOriginalUid, EventOriginalType,EventOriginalSeverity, EventSeverity, EventReportUrl,AdditionalFields};DSSearchLight_view | summarize arg_max(TimeGenerated, *) by EventOriginalUid | extend description = AdditionalFields.description | extend impact = AdditionalFields.impact | extend mitigation = AdditionalFields.mitigation | extend status = AdditionalFields.triage_status | extend comments = AdditionalFields.comments
requiredDataConnectors:
- connectorId: DigitalShadows
  dataTypes:
  - DigitalShadows_CL
query: let DSSearchLight_view  = view () { DigitalShadows_CL | where app_s == "include" | extend EventVendor="Digital Shadows", EventProduct="SearchLight",Type="DigitalShadows_CL",EventStartTime=raised_t,EventMessage=title_s,EventOriginalUid=triage_id_g,EventOriginalType=classification_s | extend EventOriginalSeverity=iif(isempty(risk_level_s), risk_assessment_risk_level_s, risk_level_s) | extend EventSeverity = case(EventOriginalSeverity == 'none', 'Informational', EventOriginalSeverity == 'very-low', 'Low',EventOriginalSeverity == 'low', 'Low',EventOriginalSeverity == 'medium', 'Medium',EventOriginalSeverity == 'high', 'High',EventOriginalSeverity == 'very-high', 'High','Informational') | extend EventReportUrl=iif(isempty(id_d), strcat('https://portal-digitalshadows.com/triage/alerts/',portal_id_s),strcat('https://portal-digitalshadows.com/triage/alert-incidents/',id_d)) | extend AdditionalFields = pack("assets", assets_s, "comments", comments_s, "description", description_s, "incident_id", id_d, "alert_id", id_g, "short_code", portal_id_s, "impact", impact_description_s, "mitigation", mitigation_s, "risk_factors", risk_factors_s, "triage_status", status_s, "triage_id", triage_id_g, "triage_raised", triage_raised_time_t,"triage_updated", triage_updated_time_t, "updated", updated_t) | project TimeGenerated, EventVendor,EventProduct, Type, EventStartTime,EventMessage, EventOriginalUid, EventOriginalType,EventOriginalSeverity, EventSeverity, EventReportUrl,AdditionalFields};DSSearchLight_view | summarize arg_max(TimeGenerated, *) by EventOriginalUid | extend description = AdditionalFields.description | extend impact = AdditionalFields.impact | extend mitigation = AdditionalFields.mitigation | extend status = AdditionalFields.triage_status | extend comments = AdditionalFields.comments
version: 1.0.2
triggerOperator: gt
queryPeriod: 6m
triggerThreshold: 0
kind: Scheduled
enabled: true
suppressionDuration: 5h
relevantTechniques: []
name: Digital Shadows Incident Creation for include-app
description: Digital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for included classifications
severity: Medium
tactics: []
techniques: []
customDetails:
  triage_id: EventOriginalUid
  impact: impact
  status: status
  mitigation: mitigation
  description: description
  severity: EventOriginalSeverity
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Shadows/Analytic Rules/Digital_Shadows_incident_creation_include.yaml
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: EventReportUrl
    identifier: Url
queryFrequency: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertRuleTemplateName: 
alertDetailsOverride:
  alertDisplayNameFormat: Digital Shadows - {{EventMessage}}
  alertSeverityColumnName: EventSeverity
  alertDescriptionFormat: |-
    {{description}}

    {{impact}}

    {{mitigation}}    
  alertTacticsColumnName: 
id: ede3071d-9317-45f9-b36c-6a6effee5294
incidentConfiguration:
  groupingConfiguration:
    groupByAlertDetails: []
    enabled: true
    groupByEntities: []
    matchingMethod: Selected
    reopenClosedIncident: true
    lookbackDuration: 7d
    groupByCustomDetails:
    - triage_id
  createIncident: true
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ede3071d-9317-45f9-b36c-6a6effee5294')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ede3071d-9317-45f9-b36c-6a6effee5294')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{description}}\n\n{{impact}}\n\n{{mitigation}}",
          "alertDisplayNameFormat": "Digital Shadows - {{EventMessage}}",
          "alertSeverityColumnName": "EventSeverity",
          "alertTacticsColumnName": null
        },
        "alertRuleTemplateName": "ede3071d-9317-45f9-b36c-6a6effee5294",
        "customDetails": {
          "description": "description",
          "impact": "impact",
          "mitigation": "mitigation",
          "severity": "EventOriginalSeverity",
          "status": "status",
          "triage_id": "EventOriginalUid"
        },
        "description": "Digital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for included classifications",
        "displayName": "Digital Shadows Incident Creation for include-app",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "EventReportUrl",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [
              "triage_id"
            ],
            "groupByEntities": [],
            "lookbackDuration": "P7D",
            "matchingMethod": "Selected",
            "reopenClosedIncident": true
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Shadows/Analytic Rules/Digital_Shadows_incident_creation_include.yaml",
        "query": "let DSSearchLight_view  = view () { DigitalShadows_CL | where app_s == \"include\" | extend EventVendor=\"Digital Shadows\", EventProduct=\"SearchLight\",Type=\"DigitalShadows_CL\",EventStartTime=raised_t,EventMessage=title_s,EventOriginalUid=triage_id_g,EventOriginalType=classification_s | extend EventOriginalSeverity=iif(isempty(risk_level_s), risk_assessment_risk_level_s, risk_level_s) | extend EventSeverity = case(EventOriginalSeverity == 'none', 'Informational', EventOriginalSeverity == 'very-low', 'Low',EventOriginalSeverity == 'low', 'Low',EventOriginalSeverity == 'medium', 'Medium',EventOriginalSeverity == 'high', 'High',EventOriginalSeverity == 'very-high', 'High','Informational') | extend EventReportUrl=iif(isempty(id_d), strcat('https://portal-digitalshadows.com/triage/alerts/',portal_id_s),strcat('https://portal-digitalshadows.com/triage/alert-incidents/',id_d)) | extend AdditionalFields = pack(\"assets\", assets_s, \"comments\", comments_s, \"description\", description_s, \"incident_id\", id_d, \"alert_id\", id_g, \"short_code\", portal_id_s, \"impact\", impact_description_s, \"mitigation\", mitigation_s, \"risk_factors\", risk_factors_s, \"triage_status\", status_s, \"triage_id\", triage_id_g, \"triage_raised\", triage_raised_time_t,\"triage_updated\", triage_updated_time_t, \"updated\", updated_t) | project TimeGenerated, EventVendor,EventProduct, Type, EventStartTime,EventMessage, EventOriginalUid, EventOriginalType,EventOriginalSeverity, EventSeverity, EventReportUrl,AdditionalFields};DSSearchLight_view | summarize arg_max(TimeGenerated, *) by EventOriginalUid | extend description = AdditionalFields.description | extend impact = AdditionalFields.impact | extend mitigation = AdditionalFields.mitigation | extend status = AdditionalFields.triage_status | extend comments = AdditionalFields.comments",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT6M",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}