{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "workspace": { "type": "String" } }, "resources": [ { "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6d263abb-6445-45cc-93e9-c593d3d77b89')]", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6d263abb-6445-45cc-93e9-c593d3d77b89')]", "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", "kind": "Scheduled", "apiVersion": "2021-09-01-preview", "properties": { "displayName": "Red Canary Threat Detection", "description": "Triggers Incidents using detection data assembled by Red Canary.", "severity": "High", "enabled": true, "query": "RedCanaryDetections_CL\n| extend process_ioc_array = todynamic(process_iocs_s),\n child_process_ioc_array = todynamic(child_process_iocs_s),\n cross_process_ioc_array = todynamic(cross_process_iocs_s),\n file_mod_ioc_array = todynamic(file_modification_iocs_s),\n identities_array = todynamic(identities_s)\n| extend entities = array_concat(process_ioc_array, child_process_ioc_array, cross_process_ioc_array, file_mod_ioc_array, identities_array)\n| mv-expand entities\n| evaluate bag_unpack(entities)\n| extend file_hash_array = todynamic(column_ifexists('file_hashes', '[]'))\n| mv-expand file_hash_array\n| evaluate bag_unpack(file_hash_array, 'file_hash_')\n| project detection_id_s = column_ifexists('detection_id_s', ''),\n detection_url_s = column_ifexists('detection_url_s', ''),\n detection_headline_s = column_ifexists('detection_headline_s', ''),\n detection_details_s = column_ifexists('detection_details_s', ''),\n detection_severity_s = column_ifexists('detection_severity_s', ''),\n host_name_s = column_ifexists('host_name_s', ''),\n host_full_name_s = column_ifexists('host_full_name_s', ''),\n host_os_family_s = column_ifexists('host_os_family_s', ''),\n host_os_version_s = column_ifexists('host_os_version_s', ''),\n tactics_s = column_ifexists('tactics_s', ''),\n process_id = column_ifexists('process_id', ''),\n process_command_line = column_ifexists('process_command_line', ''),\n process_creation_time_utc = column_ifexists('process_creation_time_utc', ''),\n file_hash_algorithm = column_ifexists('file_hash_algorithm', ''),\n file_hash_value = column_ifexists('file_hash_value', ''),\n file_directory = column_ifexists('file_directory', ''),\n file_name = column_ifexists('file_name', ''),\n user_name = column_ifexists('user_name', ''),\n user_uid = column_ifexists('user_uid', '')", "queryFrequency": "PT5M", "queryPeriod": "PT5M", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT5H", "suppressionEnabled": false, "tactics": [], "alertRuleTemplateName": null, "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { "enabled": true, "reopenClosedIncident": false, "lookbackDuration": "PT5M", "matchingMethod": "Selected", "groupByEntities": [], "groupByAlertDetails": [], "groupByCustomDetails": [ "detection_id" ] } }, "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "alertDetailsOverride": { "alertDisplayNameFormat": "Red Canary has published Detection-{{detection_id_s}}", "alertDescriptionFormat": "Red Canary has published a {{detection_severity_s}} severity detection with details:\n\n{{detection_details_s}}\n\nView the Detection at: {{detection_url_s}}", "alertTacticsColumnName": "tactics_s", "alertSeverityColumnName": "detection_severity_s" }, "customDetails": { "detection_id": "detection_id_s" }, "entityMappings": [ { "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", "columnName": "process_id" }, { "identifier": "CommandLine", "columnName": "process_command_line" }, { "identifier": "CreationTimeUtc", "columnName": "process_creation_time_utc" } ] }, { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "user_name" }, { "identifier": "Sid", "columnName": "user_uid" }, { "identifier": "Name", "columnName": "user_name" } ] }, { "entityType": "File", "fieldMappings": [ { "identifier": "Directory", "columnName": "file_directory" }, { "identifier": "Name", "columnName": "file_name" } ] }, { "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "host_name_s" }, { "identifier": "FullName", "columnName": "host_full_name_s" }, { "identifier": "OSFamily", "columnName": "host_os_family_s" } ] }, { "entityType": "FileHash", "fieldMappings": [ { "identifier": "Algorithm", "columnName": "file_hash_algorithm" }, { "identifier": "Value", "columnName": "file_hash_value" } ] } ] } } ] }