BitSight - drop in the headline rating

Back


Id	b11fdc35-6368-4cc0-8128-52cd2e2cdda0
Rulename	BitSight - drop in the headline rating
Description	Rule helps to detect if headline ratings is drop in BitSight.
Severity	High
Tactics	Reconnaissance CommandAndControl
Techniques	T1591 T1090
Required data connectors	BitSight
Kind	Scheduled
Query frequency	1d
Query period	24h
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDropInHeadlineRating.yaml
Version	1.0.2
Arm template	b11fdc35-6368-4cc0-8128-52cd2e2cdda0.json

KQL

let timeframe = 24h;
BitSightGraphData
| where ingestion_time() > ago(timeframe)
| where toint(RatingDifferance) < 0
| project RatingDate, Rating, CompanyName, RatingDifferance

YAML

tactics:
- Reconnaissance
- CommandAndControl
requiredDataConnectors:
- dataTypes:
  - BitSightGraphData
  connectorId: BitSight
alertDetailsOverride:
  alertDisplayNameFormat: 'BitSight : Alert for drop in the headline rating of {{CompanyName}}.'
  alertDescriptionFormat: 'Alert is generated for {{CompanyName}}.\n\nRating Date: {{RatingDate}}\nRating Drop: {{RatingDifferance}}'
incidentConfiguration:
  createIncident: false
id: b11fdc35-6368-4cc0-8128-52cd2e2cdda0
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  CompanyRating: Rating
  CompanyName: CompanyName
query: |
  let timeframe = 24h;
  BitSightGraphData
  | where ingestion_time() > ago(timeframe)
  | where toint(RatingDifferance) < 0
  | project RatingDate, Rating, CompanyName, RatingDifferance  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDropInHeadlineRating.yaml
kind: Scheduled
queryPeriod: 24h
version: 1.0.2
name: BitSight - drop in the headline rating
queryFrequency: 1d
triggerThreshold: 0
relevantTechniques:
- T1591
- T1090
description: |
    'Rule helps to detect if headline ratings is drop in BitSight.'
triggerOperator: GreaterThan

ARM