Vulerabilities
| Id | d096643d-6789-4c74-8893-dd3fc8a94069 |
| Rulename | Vulerabilities |
| Description | This query searches for all the vulerabilities that RidgeBot identified |
| Severity | High |
| Tactics | Execution InitialAccess PrivilegeEscalation |
| Techniques | T1189 T1059 T1053 T1548 |
| Required data connectors | CefAma RidgeBotDataConnector |
| Kind | Scheduled |
| Query frequency | 12h |
| Query period | 12h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RidgeSecurity/Analytic Rules/RidgeSecurity_Vulnerabilities.yaml |
| Version | 1.0.1 |
| Arm template | d096643d-6789-4c74-8893-dd3fc8a94069.json |
CommonSecurityLog
| where DeviceVendor == "RidgeSecurity"
| where DeviceEventClassID startswith "40"
| order by LogSeverity
entityMappings:
- fieldMappings:
- columnName: DeviceVendor
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: Computer
identifier: Address
entityType: IP
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RidgeSecurity/Analytic Rules/RidgeSecurity_Vulnerabilities.yaml
version: 1.0.1
tactics:
- Execution
- InitialAccess
- PrivilegeEscalation
queryPeriod: 12h
kind: Scheduled
id: d096643d-6789-4c74-8893-dd3fc8a94069
severity: High
query: |
CommonSecurityLog
| where DeviceVendor == "RidgeSecurity"
| where DeviceEventClassID startswith "40"
| order by LogSeverity
triggerThreshold: 0
name: Vulerabilities
status: Available
description: |
This query searches for all the vulerabilities that RidgeBot identified
relevantTechniques:
- T1189
- T1059
- T1053
- T1548
requiredDataConnectors:
- connectorId: RidgeBotDataConnector
dataTypes:
- CommonSecurityLog
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
queryFrequency: 12h