Sonrai Ticket Closed

Sonrai_Tickets_CL
| where action_d == 2

description: |
  'Checks if Sonrai tickets have been closed. 
  It uses the action type to check if a ticket has been closed'  
version: 1.0.2
triggerThreshold: 0
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Execution
- Exfiltration
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiTicketClosed.yaml
triggerOperator: gt
status: Available
alertDetailsOverride:
  alertDisplayNameFormat: Closed - {{digest_ticketSrn_s}} - {{digest_ticketKeyName_s}}
  alertDescriptionFormat: digest_ticketKeyDescription_s
  alertSeverityColumnName: digest_severityCategory_s
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: f5d467de-b5a2-4b4f-96db-55e27c733594
name: Sonrai Ticket Closed
queryFrequency: 5m
severity: Low
customDetails:
  ticketStatus: digest_status_s
  ticketSeverity: digest_severityCategory_s
  resourceType: digest_resourceType_s
  criticalResource: digest_criticalResourceName_s
  ticketName: digest_title_s
  resourceLabel: digest_resourceLabel_s
  ticketOrg: digest_org_s
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: digest_criticalResourceName_s
    identifier: Name
  entityType: CloudApplication
relevantTechniques:
- T1566
- T1059
- T1547
- T1548
- T1562
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
query: |
  Sonrai_Tickets_CL
  | where action_d == 2  
requiredDataConnectors:
- dataTypes:
  - Sonrai_Tickets_CL
  connectorId: SonraiDataConnector