Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. BitSight - new alert found

BitSight - new alert found

Back
Ida1275c5e-0ff4-4d15-a7b7-96018cd979f5
RulenameBitSight - new alert found
DescriptionRule helps to detect a new alerts generated in BitSight.
SeverityHigh
TacticsImpact
InitialAccess
TechniquesT1491
T1190
Required data connectorsBitSight
KindScheduled
Query frequency1d
Query period24h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightNewAlertFound.yaml
Version1.0.1
Arm templatea1275c5e-0ff4-4d15-a7b7-96018cd979f5.json
Deploy To Azure
let timeframe = 24h;
BitSightAlerts
| where ingestion_time() > ago(timeframe)
| extend Severity = case( Severity contains "INCREASE", "Low",
                          Severity contains "WARN" or Severity contains "DECREASE", "Medium",
                          Severity contains "CRITICAL", "High",
                          "Informational")
| extend CompanyURL = strcat("https://service.bitsighttech.com/app/spm",CompanyURL)
| project CompanyName, Severity, Trigger, CompanyURL, AlertDate, GUID

description: |
    'Rule helps to detect a new alerts generated in BitSight.'
version: 1.0.1
triggerThreshold: 0
tactics:
- Impact
- InitialAccess
queryPeriod: 24h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightNewAlertFound.yaml
triggerOperator: GreaterThan
status: Available
alertDetailsOverride:
  alertDisplayNameFormat: 'BitSight: Alert for {{Trigger}} in {{CompanyName}} from bitsight.'
  alertDescriptionFormat: 'Alert generated on {{AlertDate}} in BitSight.\n\nCompany URL: {{CompanyURL}}\nAlert GUID: {{GUID}}'
  alertSeverityColumnName: Severity
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: a1275c5e-0ff4-4d15-a7b7-96018cd979f5
name: BitSight - new alert found
queryFrequency: 1d
severity: High
incidentConfiguration:
  createIncident: false
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: CompanyURL
    identifier: Url
  entityType: URL
relevantTechniques:
- T1491
- T1190
query: |
  let timeframe = 24h;
  BitSightAlerts
  | where ingestion_time() > ago(timeframe)
  | extend Severity = case( Severity contains "INCREASE", "Low",
                            Severity contains "WARN" or Severity contains "DECREASE", "Medium",
                            Severity contains "CRITICAL", "High",
                            "Informational")
  | extend CompanyURL = strcat("https://service.bitsighttech.com/app/spm",CompanyURL)
  | project CompanyName, Severity, Trigger, CompanyURL, AlertDate, GUID  
requiredDataConnectors:
- dataTypes:
  - BitSightAlerts
  connectorId: BitSight