Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

BitSight - drop in the headline rating

Back
Idb11fdc35-6368-4cc0-8128-52cd2e2cdda0
RulenameBitSight - drop in the headline rating
DescriptionRule helps to detect if headline ratings is drop in BitSight.
SeverityHigh
TacticsCommandAndControl
Required data connectorsBitSight
KindScheduled
Query frequency1d
Query period24h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDropInHeadlineRating.yaml
Version1.0.0
Arm templateb11fdc35-6368-4cc0-8128-52cd2e2cdda0.json
Deploy To Azure
let timeframe = 24h;
BitSightGraphData
| where ingestion_time() > ago(timeframe)
| where toint(RatingDifferance) < 0
| project RatingDate, Rating, CompanyName, RatingDifferance
customDetails:
  CompanyName: CompanyName
  CompanyRating: Rating
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: 'BitSight : Alert for drop in the headline rating of {{CompanyName}}.'
  alertDescriptionFormat: 'Alert is generated for {{CompanyName}}.\n\nRating Date: {{RatingDate}}\nRating Drop: {{RatingDifferance}}'
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDropInHeadlineRating.yaml
requiredDataConnectors:
- dataTypes:
  - BitSightGraphData
  connectorId: BitSight
queryPeriod: 24h
tactics:
- CommandAndControl
severity: High
incidentConfiguration:
  createIncident: false
triggerOperator: GreaterThan
description: |
    'Rule helps to detect if headline ratings is drop in BitSight.'
query: |
  let timeframe = 24h;
  BitSightGraphData
  | where ingestion_time() > ago(timeframe)
  | where toint(RatingDifferance) < 0
  | project RatingDate, Rating, CompanyName, RatingDifferance  
name: BitSight - drop in the headline rating
version: 1.0.0
kind: Scheduled
id: b11fdc35-6368-4cc0-8128-52cd2e2cdda0
queryFrequency: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b11fdc35-6368-4cc0-8128-52cd2e2cdda0')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b11fdc35-6368-4cc0-8128-52cd2e2cdda0')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Alert is generated for {{CompanyName}}.\\n\\nRating Date: {{RatingDate}}\\nRating Drop: {{RatingDifferance}}",
          "alertDisplayNameFormat": "BitSight : Alert for drop in the headline rating of {{CompanyName}}."
        },
        "alertRuleTemplateName": "b11fdc35-6368-4cc0-8128-52cd2e2cdda0",
        "customDetails": {
          "CompanyName": "CompanyName",
          "CompanyRating": "Rating"
        },
        "description": "'Rule helps to detect if headline ratings is drop in BitSight.'\n",
        "displayName": "BitSight - drop in the headline rating",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightDropInHeadlineRating.yaml",
        "query": "let timeframe = 24h;\nBitSightGraphData\n| where ingestion_time() > ago(timeframe)\n| where toint(RatingDifferance) < 0\n| project RatingDate, Rating, CompanyName, RatingDifferance\n",
        "queryFrequency": "P1D",
        "queryPeriod": "PT24H",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}