Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. XbowMediumFindings

XbowMediumFindings

Back
Idb3c5e2f9-6a8d-4127-9b2e-4f6a8c9d0e12
RulenameXbowMediumFindings
DescriptionCreates an incident for each Medium severity finding reported by XBOW that is currently

in an open state. These findings represent moderate security risks that should be

addressed in a timely manner. Each alert is deduplicated per finding so re-ingestion

of the same finding does not produce duplicate incidents.
SeverityMedium
TacticsDiscovery
Reconnaissance
CredentialAccess
Required data connectorsXbowSecurityConnector
KindScheduled
Query frequency30m
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowMediumFindings.yaml
Version1.0.0
Arm templateb3c5e2f9-6a8d-4127-9b2e-4f6a8c9d0e12.json
Deploy To Azure
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) == 'medium'
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
    XbowAssets_CL
    | summarize arg_max(TimeGenerated, *) by AssetId
    | project AssetId, StartUrl
) on AssetId
| project
    TimeGenerated,
    FindingId,
    FindingName,
    Severity,
    State,
    Summary,
    Impact,
    Mitigations,
    Recipe,
    AssetId,
    AssetName,
    OrganizationId,
    CreatedAt,
    StartUrl

customDetails:
  AssetId: AssetId
  FindingName: FindingName
  Mitigations: Mitigations
  CreatedAt: CreatedAt
  OrganizationId: OrganizationId
  Severity: Severity
  FindingId: FindingId
  AssetName: AssetName
  State: State
id: b3c5e2f9-6a8d-4127-9b2e-4f6a8c9d0e12
name: XbowMediumFindings
queryPeriod: 1h
requiredDataConnectors:
- connectorId: XbowSecurityConnector
  dataTypes:
  - XbowFindings_CL
  - XbowAssets_CL
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByEntities: []
    reopenClosedIncident: false
    groupByCustomDetails:
    - FindingId
    matchingMethod: Selected
    enabled: true
    lookbackDuration: 24h
    groupByAlertDetails: []
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowMediumFindings.yaml
query: |
  XbowFindings_CL
  | where TimeGenerated > ago(1h)
  | where tolower(Severity) == 'medium'
  | where isempty(State) or tolower(State) == 'open'
  | summarize arg_max(TimeGenerated, *) by FindingId
  | join kind=leftouter (
      XbowAssets_CL
      | summarize arg_max(TimeGenerated, *) by AssetId
      | project AssetId, StartUrl
  ) on AssetId
  | project
      TimeGenerated,
      FindingId,
      FindingName,
      Severity,
      State,
      Summary,
      Impact,
      Mitigations,
      Recipe,
      AssetId,
      AssetName,
      OrganizationId,
      CreatedAt,
      StartUrl  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques: []
entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: StartUrl
severity: Medium
kind: Scheduled
triggerThreshold: 0
triggerOperator: gt
tactics:
- Discovery
- Reconnaissance
- CredentialAccess
status: Available
queryFrequency: 30m
alertDetailsOverride:
  alertDisplayNameFormat: 'XBOW Medium: {{FindingName}}'
  alertDescriptionFormat: Medium severity finding on asset {{AssetName}} ({{AssetId}}). {{Summary}}
description: |
  Creates an incident for each Medium severity finding reported by XBOW that is currently
  in an open state. These findings represent moderate security risks that should be
  addressed in a timely manner. Each alert is deduplicated per finding so re-ingestion
  of the same finding does not produce duplicate incidents.