High Number of Urgent Vulnerabilities Detected

Back


Id	3edb7215-250b-40c0-8b46-79093949242d
Rulename	High Number of Urgent Vulnerabilities Detected
Description	This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.
Severity	Medium
Tactics	InitialAccess
Techniques	T1190
Required data connectors	QualysVMLogsCCPDefinition
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/QualysVM/Analytic Rules/HighNumberofVulnDetectedV2.yaml
Version	1.0.3
Arm template	3edb7215-250b-40c0-8b46-79093949242d.json

KQL

let threshold = 10;
QualysHostDetection
| where Severity == "5"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios, IPAddress
| where count_ >= threshold

YAML

id: 3edb7215-250b-40c0-8b46-79093949242d
severity: Medium
queryFrequency: 1h
triggerThreshold: 0
description: |
    'This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.'
version: 1.0.3
query: |
  let threshold = 10;
  QualysHostDetection
  | where Severity == "5"
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios, IPAddress
  | where count_ >= threshold  
name: High Number of Urgent Vulnerabilities Detected
queryPeriod: 1h
triggerOperator: gt
requiredDataConnectors:
- connectorId: QualysVMLogsCCPDefinition
  dataTypes:
  - QualysHostDetection
status: Available
tactics:
- InitialAccess
relevantTechniques:
- T1190
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/QualysVM/Analytic Rules/HighNumberofVulnDetectedV2.yaml
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: NetBios
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPAddress
    identifier: Address

ARM