Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. BitSight - diligence risk category detected

BitSight - diligence risk category detected

Back
Id161ed3ac-b242-4b13-8c6b-58716e5e9972
RulenameBitSight - diligence risk category detected
DescriptionRule helps to detect whenever there is a diligence risk category found in BitSight.
SeverityMedium
TacticsExecution
Reconnaissance
TechniquesT1203
T1595.002
Required data connectorsBitSight
KindScheduled
Query frequency1d
Query period24h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDiligenceRiskCategoryDetected.yaml
Version1.0.2
Arm template161ed3ac-b242-4b13-8c6b-58716e5e9972.json
Deploy To Azure
let timeframe = 24h;
BitSightFindingsData
| where ingestion_time() > ago(timeframe)
| where RiskCategory == "Diligence"
| extend Severity = toreal(Severity)
| extend Severity = case( Severity <= 6.9 and Severity >= 4.0, "Low",
                          Severity <= 8.9 and Severity >= 7.0, "Medium",
                          Severity <= 10.0 and Severity >= 9.0, "High",
                          "Informational")
| project FirstSeen, CompanyName, Severity, RiskCategory, TemporaryId, RiskVector

queryPeriod: 24h
id: 161ed3ac-b242-4b13-8c6b-58716e5e9972
severity: Medium
status: Available
queryFrequency: 1d
query: |
  let timeframe = 24h;
  BitSightFindingsData
  | where ingestion_time() > ago(timeframe)
  | where RiskCategory == "Diligence"
  | extend Severity = toreal(Severity)
  | extend Severity = case( Severity <= 6.9 and Severity >= 4.0, "Low",
                            Severity <= 8.9 and Severity >= 7.0, "Medium",
                            Severity <= 10.0 and Severity >= 9.0, "High",
                            "Informational")
  | project FirstSeen, CompanyName, Severity, RiskCategory, TemporaryId, RiskVector  
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  createIncident: false
tactics:
- Execution
- Reconnaissance
requiredDataConnectors:
- dataTypes:
  - BitSightFindingsData
  connectorId: BitSight
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDiligenceRiskCategoryDetected.yaml
relevantTechniques:
- T1203
- T1595.002
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: RiskVector
  - identifier: Category
    columnName: RiskCategory
  entityType: Malware
name: BitSight - diligence risk category detected
triggerOperator: GreaterThan
version: 1.0.2
alertDetailsOverride:
  alertDisplayNameFormat: 'BitSight: Alert for {{RiskVector}} in {{CompanyName}} from BitSight'
  alertSeverityColumnName: Severity
  alertDescriptionFormat: 'Alert is generated for {{CompanyName}}.\n\nRisk Vector: {{RiskVector}}\nTemporaryId: {{TemporaryId}}\nRisk Category: Diligence'
description: |
    'Rule helps to detect whenever there is a diligence risk category found in BitSight.'