Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vulerabilities

Back
Idd096643d-6789-4c74-8893-dd3fc8a94069
RulenameVulerabilities
DescriptionThis query searches for all the vulerabilities that RidgeBot identified
SeverityHigh
TacticsExecution
InitialAccess
PrivilegeEscalation
TechniquesT1189
T1059
T1053
T1548
Required data connectorsCefAma
RidgeBotDataConnector
KindScheduled
Query frequency12h
Query period12h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RidgeSecurity/Analytic Rules/RidgeSecurity_Vulnerabilities.yaml
Version1.0.1
Arm templated096643d-6789-4c74-8893-dd3fc8a94069.json
Deploy To Azure
CommonSecurityLog
| where DeviceVendor == "RidgeSecurity"
| where DeviceEventClassID startswith "40"
| order by LogSeverity
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: RidgeBotDataConnector
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
triggerThreshold: 0
relevantTechniques:
- T1189
- T1059
- T1053
- T1548
queryPeriod: 12h
version: 1.0.1
id: d096643d-6789-4c74-8893-dd3fc8a94069
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RidgeSecurity/Analytic Rules/RidgeSecurity_Vulnerabilities.yaml
query: |
  CommonSecurityLog
  | where DeviceVendor == "RidgeSecurity"
  | where DeviceEventClassID startswith "40"
  | order by LogSeverity  
status: Available
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceVendor
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: Computer
  entityType: IP
tactics:
- Execution
- InitialAccess
- PrivilegeEscalation
severity: High
name: Vulerabilities
queryFrequency: 12h
triggerOperator: gt
kind: Scheduled
description: |
    This query searches for all the vulerabilities that RidgeBot identified
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d096643d-6789-4c74-8893-dd3fc8a94069')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d096643d-6789-4c74-8893-dd3fc8a94069')]",
      "properties": {
        "alertRuleTemplateName": "d096643d-6789-4c74-8893-dd3fc8a94069",
        "customDetails": null,
        "description": "This query searches for all the vulerabilities that RidgeBot identified\n",
        "displayName": "Vulerabilities",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "DeviceVendor",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RidgeSecurity/Analytic Rules/RidgeSecurity_Vulnerabilities.yaml",
        "query": "CommonSecurityLog\n| where DeviceVendor == \"RidgeSecurity\"\n| where DeviceEventClassID startswith \"40\"\n| order by LogSeverity\n",
        "queryFrequency": "PT12H",
        "queryPeriod": "PT12H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "InitialAccess",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1053",
          "T1059",
          "T1189",
          "T1548"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}