Theom - Healthcare data unencrypted

Back


Id	fb1b0deb-2a8f-4d8d-8d9d-0a8d327442e7
Rulename	Theom - Healthcare data unencrypted
Description	“Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0004 (Healthcare data has been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS requirement)”
Severity	High
Required data connectors	Theom
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0004_Healthcare_data_unencrypted.yaml
Version	1.0.0
Arm template	fb1b0deb-2a8f-4d8d-8d9d-0a8d327442e7.json

KQL

TheomAlerts_CL
  | where customProps_RuleId_s == "TRIS0004" and (priority_s == "P1" or priority_s == "P2")

YAML

kind: Scheduled
triggerOperator: gt
queryFrequency: 5m
name: Theom - Healthcare data unencrypted
alertDetailsOverride:
  alertDescriptionFormat: |2

    Summary: {{summary_s}}  
    Additional info: {{details_s}}
    Please investigate further on Theom UI at {{deepLink_s}}
  alertDisplayNameFormat: 'Theom Alert ID: {{id_s}} '
status: Available
queryPeriod: 5m
id: fb1b0deb-2a8f-4d8d-8d9d-0a8d327442e7
description: |
    "Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0004 (Healthcare data has been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS requirement)"
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0004_Healthcare_data_unencrypted.yaml
query: |
  TheomAlerts_CL
    | where customProps_RuleId_s == "TRIS0004" and (priority_s == "P1" or priority_s == "P2")  
version: 1.0.0
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings: 
requiredDataConnectors:
- connectorId: Theom
  dataTypes:
  - TheomAlerts_CL
triggerThreshold: 0

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb1b0deb-2a8f-4d8d-8d9d-0a8d327442e7')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb1b0deb-2a8f-4d8d-8d9d-0a8d327442e7')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Theom - Healthcare data unencrypted",
        "description": "\"Creates Sentinel incidents for critical/high Theom risks, associated with ruleId TRIS0004 (Healthcare data has been observed in unencrypted data stores. Encrypt data at rest to comply with this CIS requirement)\"\n",
        "severity": "High",
        "enabled": true,
        "query": "TheomAlerts_CL\n  | where customProps_RuleId_s == \"TRIS0004\" and (priority_s == \"P1\" or priority_s == \"P2\")\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "alertRuleTemplateName": "fb1b0deb-2a8f-4d8d-8d9d-0a8d327442e7",
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "Theom Alert ID: {{id_s}} ",
          "alertDescriptionFormat": "\nSummary: {{summary_s}}  \nAdditional info: {{details_s}}\nPlease investigate further on Theom UI at {{deepLink_s}}\n"
        },
        "customDetails": null,
        "entityMappings": null,
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Theom/Analytic Rules/TRIS0004_Healthcare_data_unencrypted.yaml",
        "status": "Available"
      }
    }
  ]
}