Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. XbowMediumFindings

XbowMediumFindings

Back
Idb3c5e2f9-6a8d-4127-9b2e-4f6a8c9d0e12
RulenameXbowMediumFindings
DescriptionCreates an incident for each Medium severity finding reported by XBOW that is currently

in an open state. These findings represent moderate security risks that should be

addressed in a timely manner. Each alert is deduplicated per finding so re-ingestion

of the same finding does not produce duplicate incidents.
SeverityMedium
TacticsDiscovery
Reconnaissance
CredentialAccess
Required data connectorsXbowSecurityConnector
KindScheduled
Query frequency30m
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowMediumFindings.yaml
Version1.0.0
Arm templateb3c5e2f9-6a8d-4127-9b2e-4f6a8c9d0e12.json
Deploy To Azure
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) == 'medium'
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
    XbowAssets_CL
    | summarize arg_max(TimeGenerated, *) by AssetId
    | project AssetId, StartUrl
) on AssetId
| project
    TimeGenerated,
    FindingId,
    FindingName,
    Severity,
    State,
    Summary,
    Impact,
    Mitigations,
    Recipe,
    AssetId,
    AssetName,
    OrganizationId,
    CreatedAt,
    StartUrl

id: b3c5e2f9-6a8d-4127-9b2e-4f6a8c9d0e12
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: StartUrl
  entityType: URL
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
  - XbowFindings_CL
  - XbowAssets_CL
  connectorId: XbowSecurityConnector
queryFrequency: 30m
alertDetailsOverride:
  alertDisplayNameFormat: 'XBOW Medium: {{FindingName}}'
  alertDescriptionFormat: Medium severity finding on asset {{AssetName}} ({{AssetId}}). {{Summary}}
queryPeriod: 1h
status: Available
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 24h
    groupByAlertDetails: []
    reopenClosedIncident: false
    matchingMethod: Selected
    groupByCustomDetails:
    - FindingId
    groupByEntities: []
    enabled: true
  createIncident: true
query: |
  XbowFindings_CL
  | where TimeGenerated > ago(1h)
  | where tolower(Severity) == 'medium'
  | where isempty(State) or tolower(State) == 'open'
  | summarize arg_max(TimeGenerated, *) by FindingId
  | join kind=leftouter (
      XbowAssets_CL
      | summarize arg_max(TimeGenerated, *) by AssetId
      | project AssetId, StartUrl
  ) on AssetId
  | project
      TimeGenerated,
      FindingId,
      FindingName,
      Severity,
      State,
      Summary,
      Impact,
      Mitigations,
      Recipe,
      AssetId,
      AssetName,
      OrganizationId,
      CreatedAt,
      StartUrl  
name: XbowMediumFindings
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowMediumFindings.yaml
tactics:
- Discovery
- Reconnaissance
- CredentialAccess
severity: Medium
relevantTechniques: []
triggerThreshold: 0
version: 1.0.0
description: |
  Creates an incident for each Medium severity finding reported by XBOW that is currently
  in an open state. These findings represent moderate security risks that should be
  addressed in a timely manner. Each alert is deduplicated per finding so re-ingestion
  of the same finding does not produce duplicate incidents.  
customDetails:
  State: State
  Mitigations: Mitigations
  AssetId: AssetId
  CreatedAt: CreatedAt
  Severity: Severity
  FindingId: FindingId
  AssetName: AssetName
  OrganizationId: OrganizationId
  FindingName: FindingName