Digital Shadows Incident Creation for exclude-app
| Id | f7abe9c1-1e6c-4317-b907-25769e7764c5 |
| Rulename | Digital Shadows Incident Creation for exclude-app |
| Description | Digital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for excluded classifications |
| Severity | Medium |
| Required data connectors | DigitalShadows |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 6m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Shadows/Analytic Rules/Digital_Shadows_incident_creation_exclude.yaml |
| Version | 1.0.2 |
| Arm template | f7abe9c1-1e6c-4317-b907-25769e7764c5.json |
let DSSearchLight_view = view () { DigitalShadows_CL | where app_s == "exclude" | extend EventVendor="Digital Shadows", EventProduct="SearchLight",Type="DigitalShadows_CL",EventStartTime=raised_t,EventMessage=title_s,EventOriginalUid=triage_id_g,EventOriginalType=classification_s | extend EventOriginalSeverity=iif(isempty(risk_level_s), risk_assessment_risk_level_s, risk_level_s) | extend EventSeverity = case(EventOriginalSeverity == 'none', 'Informational', EventOriginalSeverity == 'very-low', 'Low',EventOriginalSeverity == 'low', 'Low',EventOriginalSeverity == 'medium', 'Medium',EventOriginalSeverity == 'high', 'High',EventOriginalSeverity == 'very-high', 'High','Informational') | extend EventReportUrl=iif(isempty(id_d), strcat('https://portal-digitalshadows.com/triage/alerts/',portal_id_s),strcat('https://portal-digitalshadows.com/triage/alert-incidents/',id_d)) | extend AdditionalFields = pack("assets", assets_s, "comments", comments_s, "description", description_s, "incident_id", id_d, "alert_id", id_g, "short_code", portal_id_s, "impact", impact_description_s, "mitigation", mitigation_s, "risk_factors", risk_factors_s, "triage_status", status_s, "triage_id", triage_id_g, "triage_raised", triage_raised_time_t,"triage_updated", triage_updated_time_t, "updated", updated_t) | project TimeGenerated, EventVendor,EventProduct, Type, EventStartTime,EventMessage, EventOriginalUid, EventOriginalType,EventOriginalSeverity, EventSeverity, EventReportUrl,AdditionalFields};DSSearchLight_view | summarize arg_max(TimeGenerated, *) by EventOriginalUid | extend description = AdditionalFields.description | extend impact = AdditionalFields.impact | extend mitigation = AdditionalFields.mitigation | extend status = AdditionalFields.triage_status | extend comments = AdditionalFields.comments
entityMappings:
- fieldMappings:
- columnName: EventReportUrl
identifier: Url
entityType: URL
triggerOperator: gt
tactics: []
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: true
enabled: true
lookbackDuration: 7d
groupByCustomDetails:
- triage_id
matchingMethod: Selected
groupByEntities: []
groupByAlertDetails: []
enabled: true
eventGroupingSettings:
aggregationKind: AlertPerResult
techniques: []
alertDetailsOverride:
alertSeverityColumnName: EventSeverity
alertDescriptionFormat: |-
{{description}}
{{impact}}
{{mitigation}}
alertTacticsColumnName:
alertDisplayNameFormat: Digital Shadows - {{EventMessage}}
version: 1.0.2
customDetails:
severity: EventOriginalSeverity
status: status
triage_id: EventOriginalUid
description: description
impact: impact
mitigation: mitigation
triggerThreshold: 0
relevantTechniques: []
queryPeriod: 6m
alertRuleTemplateName:
query: let DSSearchLight_view = view () { DigitalShadows_CL | where app_s == "exclude" | extend EventVendor="Digital Shadows", EventProduct="SearchLight",Type="DigitalShadows_CL",EventStartTime=raised_t,EventMessage=title_s,EventOriginalUid=triage_id_g,EventOriginalType=classification_s | extend EventOriginalSeverity=iif(isempty(risk_level_s), risk_assessment_risk_level_s, risk_level_s) | extend EventSeverity = case(EventOriginalSeverity == 'none', 'Informational', EventOriginalSeverity == 'very-low', 'Low',EventOriginalSeverity == 'low', 'Low',EventOriginalSeverity == 'medium', 'Medium',EventOriginalSeverity == 'high', 'High',EventOriginalSeverity == 'very-high', 'High','Informational') | extend EventReportUrl=iif(isempty(id_d), strcat('https://portal-digitalshadows.com/triage/alerts/',portal_id_s),strcat('https://portal-digitalshadows.com/triage/alert-incidents/',id_d)) | extend AdditionalFields = pack("assets", assets_s, "comments", comments_s, "description", description_s, "incident_id", id_d, "alert_id", id_g, "short_code", portal_id_s, "impact", impact_description_s, "mitigation", mitigation_s, "risk_factors", risk_factors_s, "triage_status", status_s, "triage_id", triage_id_g, "triage_raised", triage_raised_time_t,"triage_updated", triage_updated_time_t, "updated", updated_t) | project TimeGenerated, EventVendor,EventProduct, Type, EventStartTime,EventMessage, EventOriginalUid, EventOriginalType,EventOriginalSeverity, EventSeverity, EventReportUrl,AdditionalFields};DSSearchLight_view | summarize arg_max(TimeGenerated, *) by EventOriginalUid | extend description = AdditionalFields.description | extend impact = AdditionalFields.impact | extend mitigation = AdditionalFields.mitigation | extend status = AdditionalFields.triage_status | extend comments = AdditionalFields.comments
severity: Medium
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Shadows/Analytic Rules/Digital_Shadows_incident_creation_exclude.yaml
name: Digital Shadows Incident Creation for exclude-app
queryFrequency: 5m
id: f7abe9c1-1e6c-4317-b907-25769e7764c5
description: Digital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for excluded classifications
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
- DigitalShadows_CL
connectorId: DigitalShadows