XbowLowFindings
| Id | d2e4f1a8-7c9b-4356-8e0d-5a2b7c8e9f01 |
| Rulename | XbowLowFindings |
| Description | Creates an incident for each Low severity finding reported by XBOW that is currently in an open state. These findings represent minor security issues or best-practice violations that should be addressed as part of regular security maintenance. Each alert is deduplicated per finding so re-ingestion of the same finding does not produce duplicate incidents. |
| Severity | Low |
| Tactics | Discovery |
| Required data connectors | XbowSecurityConnector |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 2h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowLowFindings.yaml |
| Version | 1.0.0 |
| Arm template | d2e4f1a8-7c9b-4356-8e0d-5a2b7c8e9f01.json |
XbowFindings_CL
| where TimeGenerated > ago(2h)
| where tolower(Severity) == 'low'
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
id: d2e4f1a8-7c9b-4356-8e0d-5a2b7c8e9f01
triggerOperator: gt
entityMappings:
- fieldMappings:
- identifier: Url
columnName: StartUrl
entityType: URL
eventGroupingSettings:
aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
- XbowFindings_CL
- XbowAssets_CL
connectorId: XbowSecurityConnector
queryFrequency: 1h
alertDetailsOverride:
alertDisplayNameFormat: 'XBOW Low: {{FindingName}}'
alertDescriptionFormat: Low severity finding on asset {{AssetName}} ({{AssetId}}). {{Summary}}
queryPeriod: 2h
status: Available
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 24h
groupByAlertDetails: []
reopenClosedIncident: false
matchingMethod: Selected
groupByCustomDetails:
- FindingId
groupByEntities: []
enabled: true
createIncident: true
query: |
XbowFindings_CL
| where TimeGenerated > ago(2h)
| where tolower(Severity) == 'low'
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
name: XbowLowFindings
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowLowFindings.yaml
tactics:
- Discovery
severity: Low
relevantTechniques: []
triggerThreshold: 0
version: 1.0.0
description: |
Creates an incident for each Low severity finding reported by XBOW that is currently
in an open state. These findings represent minor security issues or best-practice
violations that should be addressed as part of regular security maintenance. Each
alert is deduplicated per finding so re-ingestion of the same finding does not
produce duplicate incidents.
customDetails:
State: State
Mitigations: Mitigations
AssetId: AssetId
CreatedAt: CreatedAt
Severity: Severity
FindingId: FindingId
AssetName: AssetName
OrganizationId: OrganizationId
FindingName: FindingName