BloodHound Enterprise - Exposure increase

Back


Id	b1f6aed2-ebb9-4fe4-bd7c-6657d02a0cc8
Rulename	BloodHound Enterprise - Exposure increase
Description	The exposure for a domain has increased by more than 5% over the past 7 days.
Severity	High
Required data connectors	BloodHoundEnterprise
Kind	Scheduled
Query frequency	7d
Query period	7d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound Enterprise/Analytic Rules/BloodHoundEnterpriseExposure.yaml
Version	1.0.1
Arm template	b1f6aed2-ebb9-4fe4-bd7c-6657d02a0cc8.json

KQL

BloodHoundEnterprise
| where data_type == "posture"
| where created_at > ago (7d)
| summarize min(exposure_index), arg_max(created_at, exposure_index) by domain_name
| extend min_exposure = min_exposure_index * 100, latest_exposure = exposure_index * 100
| where latest_exposure - min_exposure > 5

YAML

id: b1f6aed2-ebb9-4fe4-bd7c-6657d02a0cc8
triggerThreshold: 0
severity: High
requiredDataConnectors:
- connectorId: BloodHoundEnterprise
  dataTypes:
  - BloodHoundEnterprise
entityMappings:
- fieldMappings:
  - identifier: DomainName
    displayName: domain_name
  entityType: DNS
version: 1.0.1
triggerOperator: gt
queryPeriod: 7d
query: |
  BloodHoundEnterprise
  | where data_type == "posture"
  | where created_at > ago (7d)
  | summarize min(exposure_index), arg_max(created_at, exposure_index) by domain_name
  | extend min_exposure = min_exposure_index * 100, latest_exposure = exposure_index * 100
  | where latest_exposure - min_exposure > 5  
relevantTechniques: []
tactics: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound Enterprise/Analytic Rules/BloodHoundEnterpriseExposure.yaml
status: Available
description: |
    'The exposure for a domain has increased by more than 5% over the past 7 days.'
name: BloodHound Enterprise - Exposure increase
kind: Scheduled
queryFrequency: 7d

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b1f6aed2-ebb9-4fe4-bd7c-6657d02a0cc8')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b1f6aed2-ebb9-4fe4-bd7c-6657d02a0cc8')]",
      "properties": {
        "alertRuleTemplateName": "b1f6aed2-ebb9-4fe4-bd7c-6657d02a0cc8",
        "customDetails": null,
        "description": "'The exposure for a domain has increased by more than 5% over the past 7 days.'\n",
        "displayName": "BloodHound Enterprise - Exposure increase",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "displayName": "domain_name",
                "identifier": "DomainName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound Enterprise/Analytic Rules/BloodHoundEnterpriseExposure.yaml",
        "query": "BloodHoundEnterprise\n| where data_type == \"posture\"\n| where created_at > ago (7d)\n| summarize min(exposure_index), arg_max(created_at, exposure_index) by domain_name\n| extend min_exposure = min_exposure_index * 100, latest_exposure = exposure_index * 100\n| where latest_exposure - min_exposure > 5\n",
        "queryFrequency": "P7D",
        "queryPeriod": "P7D",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}