CynerioEvent_CL
| where TimeGenerated > ago(24h)
| where module_s == 'IDS'
| where title_s == 'Scanner Activity'
customDetails:
DeviceType: asset_type_s
query: |
CynerioEvent_CL
| where TimeGenerated > ago(24h)
| where module_s == 'IDS'
| where title_s == 'Scanner Activity'
name: Cynerio - Medical device scanning
version: 1.0.0
description: Medical device is scanned with vulnerability scanner
kind: Scheduled
severity: Medium
entityMappings:
- fieldMappings:
- columnName: asset_ip_s
identifier: Address
entityType: IP
eventGroupingSettings:
aggregationKind: SingleAlert
tactics:
- LateralMovement
requiredDataConnectors:
- dataTypes:
- CynerioEvent_CL
connectorId: CynerioSecurityEvents
id: 211e9f49-3fca-4598-bc6e-e2c28d86e72c
triggerOperator: gt
triggerThreshold: 0
queryPeriod: 5h
relevantTechniques:
- T0866
queryFrequency: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cynerio/Analytic Rules/MedicalDeviceScanning.yaml
