XbowMediumFindings
| Id | b3c5e2f9-6a8d-4127-9b2e-4f6a8c9d0e12 |
| Rulename | XbowMediumFindings |
| Description | Creates an incident for each Medium severity finding reported by XBOW that is currently in an open state. These findings represent moderate security risks that should be addressed in a timely manner. Each alert is deduplicated per finding so re-ingestion of the same finding does not produce duplicate incidents. |
| Severity | Medium |
| Tactics | Discovery Reconnaissance CredentialAccess |
| Required data connectors | XbowSecurityConnector |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowMediumFindings.yaml |
| Version | 1.0.0 |
| Arm template | b3c5e2f9-6a8d-4127-9b2e-4f6a8c9d0e12.json |
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) == 'medium'
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByCustomDetails:
- FindingId
matchingMethod: Selected
groupByAlertDetails: []
groupByEntities: []
lookbackDuration: 24h
enabled: true
reopenClosedIncident: false
requiredDataConnectors:
- dataTypes:
- XbowFindings_CL
- XbowAssets_CL
connectorId: XbowSecurityConnector
relevantTechniques: []
triggerOperator: gt
customDetails:
State: State
CreatedAt: CreatedAt
Mitigations: Mitigations
AssetName: AssetName
FindingId: FindingId
FindingName: FindingName
AssetId: AssetId
OrganizationId: OrganizationId
Severity: Severity
queryFrequency: 30m
severity: Medium
triggerThreshold: 0
entityMappings:
- fieldMappings:
- columnName: StartUrl
identifier: Url
entityType: URL
alertDetailsOverride:
alertDescriptionFormat: Medium severity finding on asset {{AssetName}} ({{AssetId}}). {{Summary}}
alertDisplayNameFormat: 'XBOW Medium: {{FindingName}}'
name: XbowMediumFindings
query: |
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) == 'medium'
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
version: 1.0.0
tactics:
- Discovery
- Reconnaissance
- CredentialAccess
queryPeriod: 1h
description: |
Creates an incident for each Medium severity finding reported by XBOW that is currently
in an open state. These findings represent moderate security risks that should be
addressed in a timely manner. Each alert is deduplicated per finding so re-ingestion
of the same finding does not produce duplicate incidents.
kind: Scheduled
id: b3c5e2f9-6a8d-4127-9b2e-4f6a8c9d0e12
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowMediumFindings.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available