Theom for Microsoft Sentinel Solution - Data Cloud and Data Lakehouse Attack Detection

Solution: Theom

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Theom
Support Tier	Partner
Support Link	https://www.theom.ai
Categories	domains
Version	3.0.0
Author	Microsoft - support@microsoft.com
First Published	2022-11-04
Solution Folder	Theom
Marketplace	Azure Marketplace · Popularity: ⚪ Very Low (0%)

Theom for Microsoft Sentinel helps you prevent data breaches in the cloud by enabling your Microsoft Sentinel instance to receive critical alerts on data security and access from your Theom environment.

Underlying Microsoft Technologies used:

This solution has a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor HTTP Data Collector API

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s):

Theom 🔶

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 1 table(s):

Table	Used By Connectors	Used By Content
`TheomAlerts_CL` 🔶	Theom	Analytics, Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 21 content item(s):

Content Type	Count
Analytic Rules	20
Workbooks	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Theom - Critical data in API headers or body	High	Collection	`TheomAlerts_CL`
Theom - Dark Data with large fin value	High	Collection	`TheomAlerts_CL`
Theom - Dev secrets exposed	High	Collection	`TheomAlerts_CL`
Theom - Dev secrets unencrypted	High	CredentialAccess	`TheomAlerts_CL`
Theom - Financial data exposed	High	Collection	`TheomAlerts_CL`
Theom - Financial data unencrypted	High	Collection	`TheomAlerts_CL`
Theom - Healthcare data exposed	High	Collection	`TheomAlerts_CL`
Theom - Healthcare data unencrypted	High	Collection	`TheomAlerts_CL`
Theom - Least priv large value shadow DB	High	Collection	`TheomAlerts_CL`
Theom - National IDs exposed	High	Collection	`TheomAlerts_CL`
Theom - National IDs unencrypted	High	Collection	`TheomAlerts_CL`
Theom - Overprovisioned Roles Shadow DB	High	Collection, PrivilegeEscalation	`TheomAlerts_CL`
Theom - Shadow DB large datastore value	High	Collection	`TheomAlerts_CL`
Theom - Shadow DB with atypical accesses	High	Collection, PrivilegeEscalation	`TheomAlerts_CL`
Theom - Unencrypted public data stores	High	Collection	`TheomAlerts_CL`
Theom Critical Risks	High	Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Exfiltration, Impact, Reconnaissance	`TheomAlerts_CL`
Theom High Risks	High	Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Exfiltration, Impact, Reconnaissance	`TheomAlerts_CL`
Theom Insights	Low	Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Exfiltration, Impact, Reconnaissance	`TheomAlerts_CL`
Theom Low Risks	High	Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Exfiltration, Impact, Reconnaissance	`TheomAlerts_CL`
Theom Medium Risks	High	Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Exfiltration, Impact, Reconnaissance	`TheomAlerts_CL`

Workbooks

Name	Tables Used
Theom	`TheomAlerts_CL`

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.0	04-12-2023	Updated all Analytical Rule with entity mappings