Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. BitSight - new breach found

BitSight - new breach found

Back
Ida5526ba9-5997-47c6-bf2e-60a08b681e9b
RulenameBitSight - new breach found
DescriptionRule helps to detect a new breach generated in BitSight.
SeverityMedium
TacticsImpact
InitialAccess
TechniquesT1491
T1190
Required data connectorsBitSight
KindScheduled
Query frequency1d
Query period24h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightNewBreachFound.yaml
Version1.0.1
Arm templatea5526ba9-5997-47c6-bf2e-60a08b681e9b.json
Deploy To Azure
let timeframe = 24h;
BitSightBreaches
| where ingestion_time() > ago(timeframe)
| extend Severity = toreal(Severity)
| extend Severity = case( Severity == 1, "Low",
                          Severity == 2, "Medium",
                          Severity == 3, "High",
                          "Informational")
| project DateCreated, Companyname, Severity, PreviwURL, GUID

description: |
    'Rule helps to detect a new breach generated in BitSight.'
version: 1.0.1
triggerThreshold: 0
tactics:
- Impact
- InitialAccess
queryPeriod: 24h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightNewBreachFound.yaml
triggerOperator: GreaterThan
status: Available
alertDetailsOverride:
  alertDisplayNameFormat: 'BitSight: Alert for new breach in {{Companyname}}.'
  alertDescriptionFormat: 'Alert is generated on {{DateCreated}} at BitSight.\n\nGUID: {{GUID}}\nPreview URL: {{PreviwURL}}'
  alertSeverityColumnName: Severity
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: a5526ba9-5997-47c6-bf2e-60a08b681e9b
name: BitSight - new breach found
queryFrequency: 1d
severity: Medium
incidentConfiguration:
  createIncident: false
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: PreviwURL
    identifier: Url
  entityType: URL
relevantTechniques:
- T1491
- T1190
query: |
  let timeframe = 24h;
  BitSightBreaches
  | where ingestion_time() > ago(timeframe)
  | extend Severity = toreal(Severity)
  | extend Severity = case( Severity == 1, "Low",
                            Severity == 2, "Medium",
                            Severity == 3, "High",
                            "Informational")
  | project DateCreated, Companyname, Severity, PreviwURL, GUID  
requiredDataConnectors:
- dataTypes:
  - BitSightBreaches
  connectorId: BitSight