XbowLowFindings

Back


Id	d2e4f1a8-7c9b-4356-8e0d-5a2b7c8e9f01
Rulename	XbowLowFindings
Description	Creates an incident for each Low severity finding reported by XBOW that is currently in an open state. These findings represent minor security issues or best-practice violations that should be addressed as part of regular security maintenance. Each alert is deduplicated per finding so re-ingestion of the same finding does not produce duplicate incidents.
Severity	Low
Tactics	Discovery
Required data connectors	XbowSecurityConnector
Kind	Scheduled
Query frequency	1h
Query period	2h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowLowFindings.yaml
Version	1.0.0
Arm template	d2e4f1a8-7c9b-4356-8e0d-5a2b7c8e9f01.json

KQL

XbowFindings_CL
| where TimeGenerated > ago(2h)
| where tolower(Severity) == 'low'
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
    XbowAssets_CL
    | summarize arg_max(TimeGenerated, *) by AssetId
    | project AssetId, StartUrl
) on AssetId
| project
    TimeGenerated,
    FindingId,
    FindingName,
    Severity,
    State,
    Summary,
    Impact,
    Mitigations,
    Recipe,
    AssetId,
    AssetName,
    OrganizationId,
    CreatedAt,
    StartUrl

YAML

incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByCustomDetails:
    - FindingId
    matchingMethod: Selected
    groupByAlertDetails: []
    groupByEntities: []
    lookbackDuration: 24h
    enabled: true
    reopenClosedIncident: false
requiredDataConnectors:
- dataTypes:
  - XbowFindings_CL
  - XbowAssets_CL
  connectorId: XbowSecurityConnector
relevantTechniques: []
triggerOperator: gt
customDetails:
  State: State
  CreatedAt: CreatedAt
  Mitigations: Mitigations
  AssetName: AssetName
  FindingId: FindingId
  FindingName: FindingName
  AssetId: AssetId
  OrganizationId: OrganizationId
  Severity: Severity
queryFrequency: 1h
severity: Low
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: StartUrl
    identifier: Url
  entityType: URL
alertDetailsOverride:
  alertDescriptionFormat: Low severity finding on asset {{AssetName}} ({{AssetId}}). {{Summary}}
  alertDisplayNameFormat: 'XBOW Low: {{FindingName}}'
name: XbowLowFindings
query: |
  XbowFindings_CL
  | where TimeGenerated > ago(2h)
  | where tolower(Severity) == 'low'
  | where isempty(State) or tolower(State) == 'open'
  | summarize arg_max(TimeGenerated, *) by FindingId
  | join kind=leftouter (
      XbowAssets_CL
      | summarize arg_max(TimeGenerated, *) by AssetId
      | project AssetId, StartUrl
  ) on AssetId
  | project
      TimeGenerated,
      FindingId,
      FindingName,
      Severity,
      State,
      Summary,
      Impact,
      Mitigations,
      Recipe,
      AssetId,
      AssetName,
      OrganizationId,
      CreatedAt,
      StartUrl  
version: 1.0.0
tactics:
- Discovery
queryPeriod: 2h
description: |
  Creates an incident for each Low severity finding reported by XBOW that is currently
  in an open state. These findings represent minor security issues or best-practice
  violations that should be addressed as part of regular security maintenance. Each
  alert is deduplicated per finding so re-ingestion of the same finding does not
  produce duplicate incidents.  
kind: Scheduled
id: d2e4f1a8-7c9b-4356-8e0d-5a2b7c8e9f01
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowLowFindings.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available

ARM