Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Theom - Dev secrets unencrypted

Theom - Dev secrets unencrypted

Back
Idf2490f5b-269c-471d-9ff4-475f62ea498e
RulenameTheom - Dev secrets unencrypted
Description“Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0001 (Developer secrets have been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS requirement)”
SeverityHigh
TacticsCredentialAccess
TechniquesT1552
Required data connectorsTheom
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0001_Dev_secrets_unencrypted.yaml
Version1.0.2
Arm templatef2490f5b-269c-471d-9ff4-475f62ea498e.json
Deploy To Azure
TheomAlerts_CL
  | where customProps_RuleId_s == "TRIS0001" and (priority_s == "P1" or priority_s == "P2")

status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0001_Dev_secrets_unencrypted.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
  alertDescriptionFormat: |2

    Summary: {{summary_s}}  
    Additional info: {{details_s}}
    Please investigate further on Theom UI at {{deepLink_s}}
query: |
  TheomAlerts_CL
    | where customProps_RuleId_s == "TRIS0001" and (priority_s == "P1" or priority_s == "P2")  
requiredDataConnectors:
- dataTypes:
  - TheomAlerts_CL
  connectorId: Theom
tactics:
- CredentialAccess
name: Theom - Dev secrets unencrypted
relevantTechniques:
- T1552
severity: High
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: customProps_AssetName_s
  entityType: CloudApplication
- fieldMappings:
  - identifier: Url
    columnName: deepLink_s
  entityType: URL
kind: Scheduled
queryFrequency: 5m
description: |
    "Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0001 (Developer secrets have been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS requirement)"
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
triggerOperator: gt
version: 1.0.2
queryPeriod: 5m
id: f2490f5b-269c-471d-9ff4-475f62ea498e