XbowLowFindings

Back


Id	d2e4f1a8-7c9b-4356-8e0d-5a2b7c8e9f01
Rulename	XbowLowFindings
Description	Creates an incident for each Low severity finding reported by XBOW that is currently in an open state. These findings represent minor security issues or best-practice violations that should be addressed as part of regular security maintenance. Each alert is deduplicated per finding so re-ingestion of the same finding does not produce duplicate incidents.
Severity	Low
Tactics	Discovery
Required data connectors	XbowSecurityConnector
Kind	Scheduled
Query frequency	1h
Query period	2h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowLowFindings.yaml
Version	1.0.0
Arm template	d2e4f1a8-7c9b-4356-8e0d-5a2b7c8e9f01.json

KQL

XbowFindings_CL
| where TimeGenerated > ago(2h)
| where tolower(Severity) == 'low'
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
    XbowAssets_CL
    | summarize arg_max(TimeGenerated, *) by AssetId
    | project AssetId, StartUrl
) on AssetId
| project
    TimeGenerated,
    FindingId,
    FindingName,
    Severity,
    State,
    Summary,
    Impact,
    Mitigations,
    Recipe,
    AssetId,
    AssetName,
    OrganizationId,
    CreatedAt,
    StartUrl

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowLowFindings.yaml
query: |
  XbowFindings_CL
  | where TimeGenerated > ago(2h)
  | where tolower(Severity) == 'low'
  | where isempty(State) or tolower(State) == 'open'
  | summarize arg_max(TimeGenerated, *) by FindingId
  | join kind=leftouter (
      XbowAssets_CL
      | summarize arg_max(TimeGenerated, *) by AssetId
      | project AssetId, StartUrl
  ) on AssetId
  | project
      TimeGenerated,
      FindingId,
      FindingName,
      Severity,
      State,
      Summary,
      Impact,
      Mitigations,
      Recipe,
      AssetId,
      AssetName,
      OrganizationId,
      CreatedAt,
      StartUrl  
version: 1.0.0
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByCustomDetails:
    - FindingId
    matchingMethod: Selected
    groupByEntities: []
    groupByAlertDetails: []
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: 24h
tactics:
- Discovery
triggerThreshold: 0
kind: Scheduled
relevantTechniques: []
customDetails:
  FindingId: FindingId
  AssetName: AssetName
  State: State
  AssetId: AssetId
  OrganizationId: OrganizationId
  FindingName: FindingName
  Severity: Severity
  Mitigations: Mitigations
  CreatedAt: CreatedAt
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: StartUrl
    identifier: Url
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 1h
name: XbowLowFindings
description: |
  Creates an incident for each Low severity finding reported by XBOW that is currently
  in an open state. These findings represent minor security issues or best-practice
  violations that should be addressed as part of regular security maintenance. Each
  alert is deduplicated per finding so re-ingestion of the same finding does not
  produce duplicate incidents.  
alertDetailsOverride:
  alertDescriptionFormat: Low severity finding on asset {{AssetName}} ({{AssetId}}). {{Summary}}
  alertDisplayNameFormat: 'XBOW Low: {{FindingName}}'
queryPeriod: 2h
triggerOperator: gt
id: d2e4f1a8-7c9b-4356-8e0d-5a2b7c8e9f01
status: Available
severity: Low
requiredDataConnectors:
- dataTypes:
  - XbowFindings_CL
  - XbowAssets_CL
  connectorId: XbowSecurityConnector

ARM