Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Digital Shadows Incident Creation for exclude-app

Back
Idf7abe9c1-1e6c-4317-b907-25769e7764c5
RulenameDigital Shadows Incident Creation for exclude-app
DescriptionDigital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for excluded classifications
SeverityMedium
Required data connectorsDigitalShadows
KindScheduled
Query frequency5m
Query period6m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Shadows/Analytic Rules/Digital_Shadows_incident_creation_exclude.yaml
Version1.0.2
Arm templatef7abe9c1-1e6c-4317-b907-25769e7764c5.json
Deploy To Azure
let DSSearchLight_view  = view () { DigitalShadows_CL | where app_s == "exclude" | extend EventVendor="Digital Shadows", EventProduct="SearchLight",Type="DigitalShadows_CL",EventStartTime=raised_t,EventMessage=title_s,EventOriginalUid=triage_id_g,EventOriginalType=classification_s | extend EventOriginalSeverity=iif(isempty(risk_level_s), risk_assessment_risk_level_s, risk_level_s) | extend EventSeverity = case(EventOriginalSeverity == 'none', 'Informational', EventOriginalSeverity == 'very-low', 'Low',EventOriginalSeverity == 'low', 'Low',EventOriginalSeverity == 'medium', 'Medium',EventOriginalSeverity == 'high', 'High',EventOriginalSeverity == 'very-high', 'High','Informational') | extend EventReportUrl=iif(isempty(id_d), strcat('https://portal-digitalshadows.com/triage/alerts/',portal_id_s),strcat('https://portal-digitalshadows.com/triage/alert-incidents/',id_d)) | extend AdditionalFields = pack("assets", assets_s, "comments", comments_s, "description", description_s, "incident_id", id_d, "alert_id", id_g, "short_code", portal_id_s, "impact", impact_description_s, "mitigation", mitigation_s, "risk_factors", risk_factors_s, "triage_status", status_s, "triage_id", triage_id_g, "triage_raised", triage_raised_time_t,"triage_updated", triage_updated_time_t, "updated", updated_t) | project TimeGenerated, EventVendor,EventProduct, Type, EventStartTime,EventMessage, EventOriginalUid, EventOriginalType,EventOriginalSeverity, EventSeverity, EventReportUrl,AdditionalFields};DSSearchLight_view | summarize arg_max(TimeGenerated, *) by EventOriginalUid | extend description = AdditionalFields.description | extend impact = AdditionalFields.impact | extend mitigation = AdditionalFields.mitigation | extend status = AdditionalFields.triage_status | extend comments = AdditionalFields.comments
customDetails:
  mitigation: mitigation
  severity: EventOriginalSeverity
  description: description
  impact: impact
  triage_id: EventOriginalUid
  status: status
id: f7abe9c1-1e6c-4317-b907-25769e7764c5
queryFrequency: 5m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: true
    enabled: true
    lookbackDuration: 7d
    groupByEntities: []
    matchingMethod: Selected
    groupByAlertDetails: []
    groupByCustomDetails:
    - triage_id
  createIncident: true
alertDetailsOverride:
  alertSeverityColumnName: EventSeverity
  alertTacticsColumnName: 
  alertDisplayNameFormat: Digital Shadows - {{EventMessage}}
  alertDescriptionFormat: |-
    {{description}}

    {{impact}}

    {{mitigation}}    
version: 1.0.2
alertRuleTemplateName: 
requiredDataConnectors:
- dataTypes:
  - DigitalShadows_CL
  connectorId: DigitalShadows
query: let DSSearchLight_view  = view () { DigitalShadows_CL | where app_s == "exclude" | extend EventVendor="Digital Shadows", EventProduct="SearchLight",Type="DigitalShadows_CL",EventStartTime=raised_t,EventMessage=title_s,EventOriginalUid=triage_id_g,EventOriginalType=classification_s | extend EventOriginalSeverity=iif(isempty(risk_level_s), risk_assessment_risk_level_s, risk_level_s) | extend EventSeverity = case(EventOriginalSeverity == 'none', 'Informational', EventOriginalSeverity == 'very-low', 'Low',EventOriginalSeverity == 'low', 'Low',EventOriginalSeverity == 'medium', 'Medium',EventOriginalSeverity == 'high', 'High',EventOriginalSeverity == 'very-high', 'High','Informational') | extend EventReportUrl=iif(isempty(id_d), strcat('https://portal-digitalshadows.com/triage/alerts/',portal_id_s),strcat('https://portal-digitalshadows.com/triage/alert-incidents/',id_d)) | extend AdditionalFields = pack("assets", assets_s, "comments", comments_s, "description", description_s, "incident_id", id_d, "alert_id", id_g, "short_code", portal_id_s, "impact", impact_description_s, "mitigation", mitigation_s, "risk_factors", risk_factors_s, "triage_status", status_s, "triage_id", triage_id_g, "triage_raised", triage_raised_time_t,"triage_updated", triage_updated_time_t, "updated", updated_t) | project TimeGenerated, EventVendor,EventProduct, Type, EventStartTime,EventMessage, EventOriginalUid, EventOriginalType,EventOriginalSeverity, EventSeverity, EventReportUrl,AdditionalFields};DSSearchLight_view | summarize arg_max(TimeGenerated, *) by EventOriginalUid | extend description = AdditionalFields.description | extend impact = AdditionalFields.impact | extend mitigation = AdditionalFields.mitigation | extend status = AdditionalFields.triage_status | extend comments = AdditionalFields.comments
name: Digital Shadows Incident Creation for exclude-app
enabled: true
techniques: []
kind: Scheduled
suppressionEnabled: false
description: Digital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for excluded classifications
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Shadows/Analytic Rules/Digital_Shadows_incident_creation_exclude.yaml
severity: Medium
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: gt
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: EventReportUrl
    identifier: Url
triggerThreshold: 0
queryPeriod: 6m
tactics: []
suppressionDuration: 5h
relevantTechniques: []
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f7abe9c1-1e6c-4317-b907-25769e7764c5')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f7abe9c1-1e6c-4317-b907-25769e7764c5')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{description}}\n\n{{impact}}\n\n{{mitigation}}",
          "alertDisplayNameFormat": "Digital Shadows - {{EventMessage}}",
          "alertSeverityColumnName": "EventSeverity",
          "alertTacticsColumnName": null
        },
        "alertRuleTemplateName": "f7abe9c1-1e6c-4317-b907-25769e7764c5",
        "customDetails": {
          "description": "description",
          "impact": "impact",
          "mitigation": "mitigation",
          "severity": "EventOriginalSeverity",
          "status": "status",
          "triage_id": "EventOriginalUid"
        },
        "description": "Digital Shadows Analytic rule for generating Microsoft Sentinel incidents for the data ingested by app polling for excluded classifications",
        "displayName": "Digital Shadows Incident Creation for exclude-app",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "EventReportUrl",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [
              "triage_id"
            ],
            "groupByEntities": [],
            "lookbackDuration": "P7D",
            "matchingMethod": "Selected",
            "reopenClosedIncident": true
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital Shadows/Analytic Rules/Digital_Shadows_incident_creation_exclude.yaml",
        "query": "let DSSearchLight_view  = view () { DigitalShadows_CL | where app_s == \"exclude\" | extend EventVendor=\"Digital Shadows\", EventProduct=\"SearchLight\",Type=\"DigitalShadows_CL\",EventStartTime=raised_t,EventMessage=title_s,EventOriginalUid=triage_id_g,EventOriginalType=classification_s | extend EventOriginalSeverity=iif(isempty(risk_level_s), risk_assessment_risk_level_s, risk_level_s) | extend EventSeverity = case(EventOriginalSeverity == 'none', 'Informational', EventOriginalSeverity == 'very-low', 'Low',EventOriginalSeverity == 'low', 'Low',EventOriginalSeverity == 'medium', 'Medium',EventOriginalSeverity == 'high', 'High',EventOriginalSeverity == 'very-high', 'High','Informational') | extend EventReportUrl=iif(isempty(id_d), strcat('https://portal-digitalshadows.com/triage/alerts/',portal_id_s),strcat('https://portal-digitalshadows.com/triage/alert-incidents/',id_d)) | extend AdditionalFields = pack(\"assets\", assets_s, \"comments\", comments_s, \"description\", description_s, \"incident_id\", id_d, \"alert_id\", id_g, \"short_code\", portal_id_s, \"impact\", impact_description_s, \"mitigation\", mitigation_s, \"risk_factors\", risk_factors_s, \"triage_status\", status_s, \"triage_id\", triage_id_g, \"triage_raised\", triage_raised_time_t,\"triage_updated\", triage_updated_time_t, \"updated\", updated_t) | project TimeGenerated, EventVendor,EventProduct, Type, EventStartTime,EventMessage, EventOriginalUid, EventOriginalType,EventOriginalSeverity, EventSeverity, EventReportUrl,AdditionalFields};DSSearchLight_view | summarize arg_max(TimeGenerated, *) by EventOriginalUid | extend description = AdditionalFields.description | extend impact = AdditionalFields.impact | extend mitigation = AdditionalFields.mitigation | extend status = AdditionalFields.triage_status | extend comments = AdditionalFields.comments",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT6M",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}