BitSight - diligence risk category detected

Back


Id	161ed3ac-b242-4b13-8c6b-58716e5e9972
Rulename	BitSight - diligence risk category detected
Description	Rule helps to detect whenever there is a diligence risk category found in BitSight.
Severity	Medium
Tactics	Execution Reconnaissance
Required data connectors	BitSight
Kind	Scheduled
Query frequency	1d
Query period	24h
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDiligenceRiskCategoryDetected.yaml
Version	1.0.1
Arm template	161ed3ac-b242-4b13-8c6b-58716e5e9972.json

KQL

let timeframe = 24h;
BitSightFindingsData
| where ingestion_time() > ago(timeframe)
| where RiskCategory == "Diligence"
| extend Severity = toreal(Severity)
| extend Severity = case( Severity <= 6.9 and Severity >= 4.0, "Low",
                          Severity <= 8.9 and Severity >= 7.0, "Medium",
                          Severity <= 10.0 and Severity >= 9.0, "High",
                          "Informational")
| project FirstSeen, CompanyName, Severity, RiskCategory, TemporaryId, RiskVector

YAML

requiredTechniques:
- T1203
- T1595.002
severity: Medium
queryFrequency: 1d
triggerThreshold: 0
description: |
    'Rule helps to detect whenever there is a diligence risk category found in BitSight.'
incidentConfiguration:
  createIncident: false
kind: Scheduled
query: |
  let timeframe = 24h;
  BitSightFindingsData
  | where ingestion_time() > ago(timeframe)
  | where RiskCategory == "Diligence"
  | extend Severity = toreal(Severity)
  | extend Severity = case( Severity <= 6.9 and Severity >= 4.0, "Low",
                            Severity <= 8.9 and Severity >= 7.0, "Medium",
                            Severity <= 10.0 and Severity >= 9.0, "High",
                            "Informational")
  | project FirstSeen, CompanyName, Severity, RiskCategory, TemporaryId, RiskVector  
version: 1.0.1
name: BitSight - diligence risk category detected
id: 161ed3ac-b242-4b13-8c6b-58716e5e9972
triggerOperator: GreaterThan
requiredDataConnectors:
- connectorId: BitSight
  dataTypes:
  - BitSightFindingsData
status: Available
tactics:
- Execution
- Reconnaissance
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: 'BitSight: Alert for {{RiskVector}} in {{CompanyName}} from BitSight'
  alertSeverityColumnName: Severity
  alertDescriptionFormat: 'Alert is generated for {{CompanyName}}.\n\nRisk Vector: {{RiskVector}}\nTemporaryId: {{TemporaryId}}\nRisk Category: Diligence'
queryPeriod: 24h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDiligenceRiskCategoryDetected.yaml
entityMappings:
- entityType: Malware
  fieldMappings:
  - columnName: RiskVector
    identifier: Name
  - columnName: RiskCategory
    identifier: Category

ARM