Theom - Dev secrets unencrypted

Back


Id	f2490f5b-269c-471d-9ff4-475f62ea498e
Rulename	Theom - Dev secrets unencrypted
Description	“Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0001 (Developer secrets have been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS requirement)”
Severity	High
Required data connectors	Theom
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0001_Dev_secrets_unencrypted.yaml
Version	1.0.0
Arm template	f2490f5b-269c-471d-9ff4-475f62ea498e.json

KQL

TheomAlerts_CL
  | where customProps_RuleId_s == "TRIS0001" and (priority_s == "P1" or priority_s == "P2")

YAML

queryFrequency: 5m
entityMappings: 
severity: High
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0001_Dev_secrets_unencrypted.yaml
query: |
  TheomAlerts_CL
    | where customProps_RuleId_s == "TRIS0001" and (priority_s == "P1" or priority_s == "P2")  
id: f2490f5b-269c-471d-9ff4-475f62ea498e
triggerOperator: gt
version: 1.0.0
requiredDataConnectors:
- connectorId: Theom
  dataTypes:
  - TheomAlerts_CL
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
    "Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0001 (Developer secrets have been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS requirement)"
alertDetailsOverride:
  alertDescriptionFormat: |2

    Summary: {{summary_s}}  
    Additional info: {{details_s}}
    Please investigate further on Theom UI at {{deepLink_s}}
  alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
status: Available
name: Theom - Dev secrets unencrypted
queryPeriod: 5m
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f2490f5b-269c-471d-9ff4-475f62ea498e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f2490f5b-269c-471d-9ff4-475f62ea498e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Theom - Dev secrets unencrypted",
        "description": "\"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0001 (Developer secrets have been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS requirement)\"\n",
        "severity": "High",
        "enabled": true,
        "query": "TheomAlerts_CL\n  | where customProps_RuleId_s == \"TRIS0001\" and (priority_s == \"P1\" or priority_s == \"P2\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "alertRuleTemplateName": "f2490f5b-269c-471d-9ff4-475f62ea498e",
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDescriptionFormat": "\nSummary: {{summary_s}}  \nAdditional info: {{details_s}}\nPlease investigate further on Theom UI at {{deepLink_s}}\n",
          "alertDisplayNameFormat": "Theom Alert ID: {{id_s}} "
        },
        "customDetails": null,
        "entityMappings": null,
        "templateVersion": "1.0.0",
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0001_Dev_secrets_unencrypted.yaml"
      }
    }
  ]
}