Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

BitSight - drop in the headline rating

Back
Idb11fdc35-6368-4cc0-8128-52cd2e2cdda0
RulenameBitSight - drop in the headline rating
DescriptionRule helps to detect if headline ratings is drop in BitSight.
SeverityHigh
TacticsReconnaissance
CommandAndControl
Required data connectorsBitSight
KindScheduled
Query frequency1d
Query period24h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDropInHeadlineRating.yaml
Version1.0.1
Arm templateb11fdc35-6368-4cc0-8128-52cd2e2cdda0.json
Deploy To Azure
let timeframe = 24h;
BitSightGraphData
| where ingestion_time() > ago(timeframe)
| where toint(RatingDifferance) < 0
| project RatingDate, Rating, CompanyName, RatingDifferance
requiredDataConnectors:
- connectorId: BitSight
  dataTypes:
  - BitSightGraphData
status: Available
incidentConfiguration:
  createIncident: false
queryFrequency: 1d
id: b11fdc35-6368-4cc0-8128-52cd2e2cdda0
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  CompanyName: CompanyName
  CompanyRating: Rating
requiredTechniques:
- T1591
- T1090
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDropInHeadlineRating.yaml
queryPeriod: 24h
description: |
    'Rule helps to detect if headline ratings is drop in BitSight.'
triggerThreshold: 0
tactics:
- Reconnaissance
- CommandAndControl
query: |
  let timeframe = 24h;
  BitSightGraphData
  | where ingestion_time() > ago(timeframe)
  | where toint(RatingDifferance) < 0
  | project RatingDate, Rating, CompanyName, RatingDifferance  
kind: Scheduled
triggerOperator: GreaterThan
alertDetailsOverride:
  alertDisplayNameFormat: 'BitSight : Alert for drop in the headline rating of {{CompanyName}}.'
  alertDescriptionFormat: 'Alert is generated for {{CompanyName}}.\n\nRating Date: {{RatingDate}}\nRating Drop: {{RatingDifferance}}'
name: BitSight - drop in the headline rating
version: 1.0.1
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b11fdc35-6368-4cc0-8128-52cd2e2cdda0')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b11fdc35-6368-4cc0-8128-52cd2e2cdda0')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Alert is generated for {{CompanyName}}.\\n\\nRating Date: {{RatingDate}}\\nRating Drop: {{RatingDifferance}}",
          "alertDisplayNameFormat": "BitSight : Alert for drop in the headline rating of {{CompanyName}}."
        },
        "alertRuleTemplateName": "b11fdc35-6368-4cc0-8128-52cd2e2cdda0",
        "customDetails": {
          "CompanyName": "CompanyName",
          "CompanyRating": "Rating"
        },
        "description": "'Rule helps to detect if headline ratings is drop in BitSight.'\n",
        "displayName": "BitSight - drop in the headline rating",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDropInHeadlineRating.yaml",
        "query": "let timeframe = 24h;\nBitSightGraphData\n| where ingestion_time() > ago(timeframe)\n| where toint(RatingDifferance) < 0\n| project RatingDate, Rating, CompanyName, RatingDifferance\n",
        "queryFrequency": "P1D",
        "queryPeriod": "PT24H",
        "requiredTechniques": [
          "T1591",
          "T1090"
        ],
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Reconnaissance"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}