Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dynatrace Application Security - Third-Party runtime vulnerability detection

Back
Idaf99b078-124b-543a-9a50-66ef87c09f6a
RulenameDynatrace Application Security - Third-Party runtime vulnerability detection
DescriptionDetect Third-Party runtime vulnerabilities in your environment insights by snyk
SeverityMedium
TacticsDefenseEvasion
Execution
Impact
InitialAccess
LateralMovement
Persistence
PrivilegeEscalation
Required data connectorsDynatraceRuntimeVulnerabilities
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_ThirdPartyVulnerabilityDetection.yaml
Version1.0.0
Arm templateaf99b078-124b-543a-9a50-66ef87c09f6a.json
Deploy To Azure
DynatraceSecurityProblems
| where VulnerabilityType != "CODE_LEVEL" and DAVISRiskLevel == "CRITICAL"  and Muted == false
| summarize  arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_ThirdPartyVulnerabilityDetection.yaml
severity: Medium
name: Dynatrace Application Security - Third-Party runtime vulnerability detection
alertDetailsOverride:
  alertSeverityColumnName: Severity
  alertDescriptionFormat: |
        Third-party runtime vulnerability ({{ExternalVulnerabilityId}}) detected in package ({{PackageName}}), more details available from Dynatrace at {{Url}}.
  alertDisplayNameFormat: 'Dynatrace Third-party runtime vulnerability detected - {{DisplayId}} : {{Title}}'
queryFrequency: 1d
suppressionDuration: 5h
incidentConfiguration:
  createIncident: false
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
queryPeriod: 1d
description: |
    'Detect Third-Party runtime vulnerabilities in your environment insights by snyk'
id: af99b078-124b-543a-9a50-66ef87c09f6a
tactics:
- DefenseEvasion
- Execution
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
triggerThreshold: 0
customDetails:
  PackageName: PackageName
  SecProbIdentifier: SecurityProblemId
  DAVISExposure: DAVISExposure
  DAVISRiskScore: DAVISRiskScore
  DAVISPublicExploit: DAVISPublicExploit
  DAVISVulnFuncUsage: DAVISVulnerableFunctionUsage
  Technology: Technology
  VulnerabilityType: VulnerabilityType
  SecurityProblemUrl: Url
  DAVISRiskLevel: DAVISRiskLevel
  DAVISDataAssets: DAVISDataAssets
  ExternVulnIdentifier: ExternalVulnerabilityId
  DisplayIdentifier: DisplayId
  DAVISRiskVector: DAVISRiskVector
  CVEIds: CVEIds
version: 1.0.0
suppressionEnabled: false
query: |
  DynatraceSecurityProblems
  | where VulnerabilityType != "CODE_LEVEL" and DAVISRiskLevel == "CRITICAL"  and Muted == false
  | summarize  arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId  
status: Available
kind: Scheduled
requiredDataConnectors:
- dataTypes:
  - DynatraceSecurityProblems
  connectorId: DynatraceRuntimeVulnerabilities
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af99b078-124b-543a-9a50-66ef87c09f6a')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af99b078-124b-543a-9a50-66ef87c09f6a')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Dynatrace Application Security - Third-Party runtime vulnerability detection",
        "description": "'Detect Third-Party runtime vulnerabilities in your environment insights by snyk'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "DynatraceSecurityProblems\n| where VulnerabilityType != \"CODE_LEVEL\" and DAVISRiskLevel == \"CRITICAL\"  and Muted == false\n| summarize  arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Execution",
          "Impact",
          "InitialAccess",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "alertRuleTemplateName": "af99b078-124b-543a-9a50-66ef87c09f6a",
        "incidentConfiguration": {
          "createIncident": false,
          "groupingConfiguration": {
            "lookbackDuration": "PT5H",
            "reopenClosedIncident": false,
            "matchingMethod": "AllEntities",
            "enabled": false
          }
        },
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertSeverityColumnName": "Severity",
          "alertDescriptionFormat": "Third-party runtime vulnerability ({{ExternalVulnerabilityId}}) detected in package ({{PackageName}}), more details available from Dynatrace at {{Url}}.\n",
          "alertDisplayNameFormat": "Dynatrace Third-party runtime vulnerability detected - {{DisplayId}} : {{Title}}"
        },
        "customDetails": {
          "PackageName": "PackageName",
          "SecProbIdentifier": "SecurityProblemId",
          "DAVISExposure": "DAVISExposure",
          "DAVISRiskVector": "DAVISRiskVector",
          "DAVISPublicExploit": "DAVISPublicExploit",
          "DAVISVulnFuncUsage": "DAVISVulnerableFunctionUsage",
          "Technology": "Technology",
          "VulnerabilityType": "VulnerabilityType",
          "SecurityProblemUrl": "Url",
          "DAVISRiskLevel": "DAVISRiskLevel",
          "ExternVulnIdentifier": "ExternalVulnerabilityId",
          "DAVISRiskScore": "DAVISRiskScore",
          "DAVISDataAssets": "DAVISDataAssets",
          "DisplayIdentifier": "DisplayId",
          "CVEIds": "CVEIds"
        },
        "entityMappings": null,
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_ThirdPartyVulnerabilityDetection.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}