BitSight - diligence risk category detected
| Id | 161ed3ac-b242-4b13-8c6b-58716e5e9972 |
| Rulename | BitSight - diligence risk category detected |
| Description | Rule helps to detect whenever there is a diligence risk category found in BitSight. |
| Severity | Medium |
| Tactics | Execution Reconnaissance |
| Techniques | T1203 T1595.002 |
| Required data connectors | BitSight |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 24h |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDiligenceRiskCategoryDetected.yaml |
| Version | 1.0.2 |
| Arm template | 161ed3ac-b242-4b13-8c6b-58716e5e9972.json |
let timeframe = 24h;
BitSightFindingsData
| where ingestion_time() > ago(timeframe)
| where RiskCategory == "Diligence"
| extend Severity = toreal(Severity)
| extend Severity = case( Severity <= 6.9 and Severity >= 4.0, "Low",
Severity <= 8.9 and Severity >= 7.0, "Medium",
Severity <= 10.0 and Severity >= 9.0, "High",
"Informational")
| project FirstSeen, CompanyName, Severity, RiskCategory, TemporaryId, RiskVector
relevantTechniques:
- T1203
- T1595.002
queryPeriod: 24h
triggerOperator: GreaterThan
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDiligenceRiskCategoryDetected.yaml
description: |
'Rule helps to detect whenever there is a diligence risk category found in BitSight.'
tactics:
- Execution
- Reconnaissance
severity: Medium
status: Available
kind: Scheduled
triggerThreshold: 0
queryFrequency: 1d
alertDetailsOverride:
alertDisplayNameFormat: 'BitSight: Alert for {{RiskVector}} in {{CompanyName}} from BitSight'
alertDescriptionFormat: 'Alert is generated for {{CompanyName}}.\n\nRisk Vector: {{RiskVector}}\nTemporaryId: {{TemporaryId}}\nRisk Category: Diligence'
alertSeverityColumnName: Severity
requiredDataConnectors:
- dataTypes:
- BitSightFindingsData
connectorId: BitSight
incidentConfiguration:
createIncident: false
entityMappings:
- entityType: Malware
fieldMappings:
- identifier: Name
columnName: RiskVector
- identifier: Category
columnName: RiskCategory
id: 161ed3ac-b242-4b13-8c6b-58716e5e9972
query: |
let timeframe = 24h;
BitSightFindingsData
| where ingestion_time() > ago(timeframe)
| where RiskCategory == "Diligence"
| extend Severity = toreal(Severity)
| extend Severity = case( Severity <= 6.9 and Severity >= 4.0, "Low",
Severity <= 8.9 and Severity >= 7.0, "Medium",
Severity <= 10.0 and Severity >= 9.0, "High",
"Informational")
| project FirstSeen, CompanyName, Severity, RiskCategory, TemporaryId, RiskVector
name: BitSight - diligence risk category detected