BitSight - drop in the headline rating

Back


Id	b11fdc35-6368-4cc0-8128-52cd2e2cdda0
Rulename	BitSight - drop in the headline rating
Description	Rule helps to detect if headline ratings is drop in BitSight.
Severity	High
Tactics	Reconnaissance CommandAndControl
Techniques	T1591 T1090
Required data connectors	BitSight
Kind	Scheduled
Query frequency	1d
Query period	24h
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDropInHeadlineRating.yaml
Version	1.0.2
Arm template	b11fdc35-6368-4cc0-8128-52cd2e2cdda0.json

KQL

let timeframe = 24h;
BitSightGraphData
| where ingestion_time() > ago(timeframe)
| where toint(RatingDifferance) < 0
| project RatingDate, Rating, CompanyName, RatingDifferance

YAML

status: Available
queryFrequency: 1d
queryPeriod: 24h
kind: Scheduled
incidentConfiguration:
  createIncident: false
triggerThreshold: 0
description: |
    'Rule helps to detect if headline ratings is drop in BitSight.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDropInHeadlineRating.yaml
customDetails:
  CompanyName: CompanyName
  CompanyRating: Rating
requiredDataConnectors:
- connectorId: BitSight
  dataTypes:
  - BitSightGraphData
id: b11fdc35-6368-4cc0-8128-52cd2e2cdda0
tactics:
- Reconnaissance
- CommandAndControl
name: BitSight - drop in the headline rating
triggerOperator: GreaterThan
relevantTechniques:
- T1591
- T1090
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  let timeframe = 24h;
  BitSightGraphData
  | where ingestion_time() > ago(timeframe)
  | where toint(RatingDifferance) < 0
  | project RatingDate, Rating, CompanyName, RatingDifferance  
version: 1.0.2
alertDetailsOverride:
  alertDisplayNameFormat: 'BitSight : Alert for drop in the headline rating of {{CompanyName}}.'
  alertDescriptionFormat: 'Alert is generated for {{CompanyName}}.\n\nRating Date: {{RatingDate}}\nRating Drop: {{RatingDifferance}}'
severity: High

ARM