Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

BitSight - drop in the headline rating

Back
Idb11fdc35-6368-4cc0-8128-52cd2e2cdda0
RulenameBitSight - drop in the headline rating
DescriptionRule helps to detect if headline ratings is drop in BitSight.
SeverityHigh
TacticsReconnaissance
CommandAndControl
Required data connectorsBitSight
KindScheduled
Query frequency1d
Query period24h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDropInHeadlineRating.yaml
Version1.0.1
Arm templateb11fdc35-6368-4cc0-8128-52cd2e2cdda0.json
Deploy To Azure
let timeframe = 24h;
BitSightGraphData
| where ingestion_time() > ago(timeframe)
| where toint(RatingDifferance) < 0
| project RatingDate, Rating, CompanyName, RatingDifferance
alertDetailsOverride:
  alertDisplayNameFormat: 'BitSight : Alert for drop in the headline rating of {{CompanyName}}.'
  alertDescriptionFormat: 'Alert is generated for {{CompanyName}}.\n\nRating Date: {{RatingDate}}\nRating Drop: {{RatingDifferance}}'
id: b11fdc35-6368-4cc0-8128-52cd2e2cdda0
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDropInHeadlineRating.yaml
requiredDataConnectors:
- dataTypes:
  - BitSightGraphData
  connectorId: BitSight
description: |
    'Rule helps to detect if headline ratings is drop in BitSight.'
severity: High
queryPeriod: 24h
kind: Scheduled
tactics:
- Reconnaissance
- CommandAndControl
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 1d
query: |
  let timeframe = 24h;
  BitSightGraphData
  | where ingestion_time() > ago(timeframe)
  | where toint(RatingDifferance) < 0
  | project RatingDate, Rating, CompanyName, RatingDifferance  
incidentConfiguration:
  createIncident: false
version: 1.0.1
triggerThreshold: 0
status: Available
name: BitSight - drop in the headline rating
requiredTechniques:
- T1591
- T1090
customDetails:
  CompanyName: CompanyName
  CompanyRating: Rating
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b11fdc35-6368-4cc0-8128-52cd2e2cdda0')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b11fdc35-6368-4cc0-8128-52cd2e2cdda0')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Alert is generated for {{CompanyName}}.\\n\\nRating Date: {{RatingDate}}\\nRating Drop: {{RatingDifferance}}",
          "alertDisplayNameFormat": "BitSight : Alert for drop in the headline rating of {{CompanyName}}."
        },
        "alertRuleTemplateName": "b11fdc35-6368-4cc0-8128-52cd2e2cdda0",
        "customDetails": {
          "CompanyName": "CompanyName",
          "CompanyRating": "Rating"
        },
        "description": "'Rule helps to detect if headline ratings is drop in BitSight.'\n",
        "displayName": "BitSight - drop in the headline rating",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDropInHeadlineRating.yaml",
        "query": "let timeframe = 24h;\nBitSightGraphData\n| where ingestion_time() > ago(timeframe)\n| where toint(RatingDifferance) < 0\n| project RatingDate, Rating, CompanyName, RatingDifferance\n",
        "queryFrequency": "P1D",
        "queryPeriod": "PT24H",
        "requiredTechniques": [
          "T1591",
          "T1090"
        ],
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "Reconnaissance"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}