Improved the Analytic Rule Logic

2024-01-09 00:47:50 +05:30 · 2024-01-09 00:47:50 +05:30 · 7a9db074ba
--- a/Rules/PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml
+++ b/Rules/PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml
@ -8,8 +8,8 @@ requiredDataConnectors:
  - connectorId: PaloAltoPrismaCloud
    dataTypes:
      - PaloAltoPrismaCloud
-queryFrequency: 1h
-queryPeriod: 1h
+queryFrequency: 1d
+queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
@ -17,19 +17,24 @@ tactics:
 relevantTechniques:
  - T1133
 query: |
+  let ResolvedAlerts = PaloAltoPrismaCloud
+  | summarize result = make_set(Status) by AlertId
+  | where result has 'resolved'
+  | project AlertId;
  PaloAltoPrismaCloud
  | where Reason =~ 'NEW_ALERT'
-  | where AlertSeverity =~ 'high'
+  | where AlertSeverity =~ 'high' 
  | where Status =~ 'open'
+  | where AlertId !in (ResolvedAlerts)
  | extend alert_time = now() - TimeGenerated
  | where alert_time > 1d
  | extend ['Opened Days'] = strcat('Alert opened for ', strcat(toint(alert_time / 1d), ' days'))
-  | project AlertMessage, AlertSeverity, ['Opened Days'], ResourceId, UserName
+  | distinct AlertId, AlertMessage, AlertSeverity, ['Opened Days'], ResourceId, UserName
  | extend AccountCustomEntity = UserName
 entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
--- a/Solutions/PaloAltoPrismaCloud/Data/Solution_PaloAltoPrismaCloud.json
+++ b/Solutions/PaloAltoPrismaCloud/Data/Solution_PaloAltoPrismaCloud.json
@ -44,7 +44,7 @@
 	],
 	"Metadata": "SolutionMetadata.json",
    "BasePath": "C:\\One\\Azure\\Azure-Sentinel\\Solutions\\PaloAltoPrismaCloud",
-	 "Version": "3.0.0",
+	 "Version": "3.0.1",
  "TemplateSpec": true,
  "Is1Pconnector": false
 }
--- a/Solutions/PaloAltoPrismaCloud/ReleaseNotes.md
+++ b/Solutions/PaloAltoPrismaCloud/ReleaseNotes.md
@ -1,4 +1,5 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                 |
 |-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.1       | 09-01-2024                     | 1 **Analytic Rule** updated with improved rule logic             	|  
 | 3.0.0       | 18-08-2023                     | Manual deployment instructions updated for **Data Connector**		|