Sonrai Ticket Closed

Sonrai_Tickets_CL
| where action_d == 2

id: f5d467de-b5a2-4b4f-96db-55e27c733594
requiredDataConnectors:
- connectorId: SonraiDataConnector
  dataTypes:
  - Sonrai_Tickets_CL
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: digest_criticalResourceName_s
  entityType: CloudApplication
query: |
  Sonrai_Tickets_CL
  | where action_d == 2  
triggerThreshold: 0
kind: Scheduled
severity: Low
queryPeriod: 5m
customDetails:
  ticketSeverity: digest_severityCategory_s
  resourceLabel: digest_resourceLabel_s
  ticketOrg: digest_org_s
  ticketName: digest_title_s
  ticketStatus: digest_status_s
  criticalResource: digest_criticalResourceName_s
  resourceType: digest_resourceType_s
tactics:
- Collection
- CommandAndControl
- CredentialAccess
- DefenseEvasion
- Discovery
- Execution
- Exfiltration
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
queryFrequency: 5m
status: Available
relevantTechniques:
- T1566
- T1059
- T1547
- T1548
- T1562
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
triggerOperator: gt
alertDetailsOverride:
  alertDisplayNameFormat: Closed - {{digest_ticketSrn_s}} - {{digest_ticketKeyName_s}}
  alertSeverityColumnName: digest_severityCategory_s
  alertDescriptionFormat: digest_ticketKeyDescription_s
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Analytic Rules/SonraiTicketClosed.yaml
description: |
  'Checks if Sonrai tickets have been closed. 
  It uses the action type to check if a ticket has been closed'  
name: Sonrai Ticket Closed
version: 1.0.2