let threshold = 10;
QualysHostDetection
| extend Status = tostring(Status), Vulnerability = tostring(QID), Severity = tostring(Severity)
| where Status =~ "New" and Severity == "5"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios) by tostring(QID)
| where dcount_NetBios >= threshold
| extend timestamp = StartTime
queryPeriod: 1h
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/QualysVM/Analytic Rules/NewHighSeverityVulnDetectedAcrossMulitpleHostsV2.yaml
relevantTechniques:
- T1190
queryFrequency: 1h
triggerOperator: gt
kind: Scheduled
query: |
let threshold = 10;
QualysHostDetection
| extend Status = tostring(Status), Vulnerability = tostring(QID), Severity = tostring(Severity)
| where Status =~ "New" and Severity == "5"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios) by tostring(QID)
| where dcount_NetBios >= threshold
| extend timestamp = StartTime
id: 6116dc19-475a-4148-84b2-efe89c073e27
tactics:
- InitialAccess
status: Available
requiredDataConnectors:
- connectorId: QualysVMLogsCCPDefinition
dataTypes:
- QualysHostDetection
triggerThreshold: 0
name: New High Severity Vulnerability Detected Across Multiple Hosts
severity: Medium
description: |
'This creates an incident when a new high severity vulnerability is detected across multilple hosts'
