Theom - Dev secrets unencrypted

Back


Id	f2490f5b-269c-471d-9ff4-475f62ea498e
Rulename	Theom - Dev secrets unencrypted
Description	“Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0001 (Developer secrets have been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS requirement)”
Severity	High
Required data connectors	Theom
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0001_Dev_secrets_unencrypted.yaml
Version	1.0.0
Arm template	f2490f5b-269c-471d-9ff4-475f62ea498e.json

KQL

TheomAlerts_CL
  | where customProps_RuleId_s == "TRIS0001" and (priority_s == "P1" or priority_s == "P2")

YAML

severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0001_Dev_secrets_unencrypted.yaml
description: |
    "Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0001 (Developer secrets have been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS requirement)"
triggerOperator: gt
queryPeriod: 5m
requiredDataConnectors:
- dataTypes:
  - TheomAlerts_CL
  connectorId: Theom
queryFrequency: 5m
triggerThreshold: 0
alertDetailsOverride:
  alertDescriptionFormat: |2

    Summary: {{summary_s}}  
    Additional info: {{details_s}}
    Please investigate further on Theom UI at {{deepLink_s}}
  alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
query: |
  TheomAlerts_CL
    | where customProps_RuleId_s == "TRIS0001" and (priority_s == "P1" or priority_s == "P2")  
status: Available
kind: Scheduled
version: 1.0.0
id: f2490f5b-269c-471d-9ff4-475f62ea498e
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings: 
name: Theom - Dev secrets unencrypted

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f2490f5b-269c-471d-9ff4-475f62ea498e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f2490f5b-269c-471d-9ff4-475f62ea498e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Theom - Dev secrets unencrypted",
        "description": "\"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0001 (Developer secrets have been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS requirement)\"\n",
        "severity": "High",
        "enabled": true,
        "query": "TheomAlerts_CL\n  | where customProps_RuleId_s == \"TRIS0001\" and (priority_s == \"P1\" or priority_s == \"P2\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "alertRuleTemplateName": "f2490f5b-269c-471d-9ff4-475f62ea498e",
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDescriptionFormat": "\nSummary: {{summary_s}}  \nAdditional info: {{details_s}}\nPlease investigate further on Theom UI at {{deepLink_s}}\n",
          "alertDisplayNameFormat": "Theom Alert ID: {{id_s}} "
        },
        "customDetails": null,
        "entityMappings": null,
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0001_Dev_secrets_unencrypted.yaml",
        "status": "Available"
      }
    }
  ]
}