XbowLowFindings

Back


Id	d2e4f1a8-7c9b-4356-8e0d-5a2b7c8e9f01
Rulename	XbowLowFindings
Description	Creates an incident for each Low severity finding reported by XBOW that is currently in an open state. These findings represent minor security issues or best-practice violations that should be addressed as part of regular security maintenance. Each alert is deduplicated per finding so re-ingestion of the same finding does not produce duplicate incidents.
Severity	Low
Tactics	Discovery
Required data connectors	XbowSecurityConnector
Kind	Scheduled
Query frequency	1h
Query period	2h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowLowFindings.yaml
Version	1.0.1
Arm template	d2e4f1a8-7c9b-4356-8e0d-5a2b7c8e9f01.json

KQL

XbowFindings_CL
| where TimeGenerated > ago(2h)
| where tolower(Severity) == 'low'
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
    XbowAssets_CL
    | summarize arg_max(TimeGenerated, *) by AssetId
    | project AssetId, StartUrl
) on AssetId
| project
    TimeGenerated,
    FindingId,
    FindingName,
    Severity,
    State,
    Summary,
    Impact,
    Mitigations,
    Recipe,
    AssetId,
    AssetName,
    OrganizationId,
    CreatedAt,
    StartUrl

YAML

status: Available
queryFrequency: 1h
queryPeriod: 2h
triggerOperator: gt
query: |
  XbowFindings_CL
  | where TimeGenerated > ago(2h)
  | where tolower(Severity) == 'low'
  | where isempty(State) or tolower(State) == 'open'
  | summarize arg_max(TimeGenerated, *) by FindingId
  | join kind=leftouter (
      XbowAssets_CL
      | summarize arg_max(TimeGenerated, *) by AssetId
      | project AssetId, StartUrl
  ) on AssetId
  | project
      TimeGenerated,
      FindingId,
      FindingName,
      Severity,
      State,
      Summary,
      Impact,
      Mitigations,
      Recipe,
      AssetId,
      AssetName,
      OrganizationId,
      CreatedAt,
      StartUrl  
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowLowFindings.yaml
tactics:
- Discovery
triggerThreshold: 0
entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: StartUrl
requiredDataConnectors:
- connectorId: XbowSecurityConnector
  dataTypes:
  - XbowFindings_CL
  - XbowAssets_CL
alertDetailsOverride:
  alertDescriptionFormat: Low severity finding on asset {{AssetName}} ({{AssetId}}). {{Summary}}
  alertDisplayNameFormat: 'XBOW Low: {{FindingName}}'
relevantTechniques: []
customDetails:
  Severity: Severity
  Mitigations: Mitigations
  AssetID: AssetId
  OrganizationID: OrganizationId
  FindingName: FindingName
  CreatedAt: CreatedAt
  FindingID: FindingId
  AssetName: AssetName
  State: State
description: |
  Creates an incident for each Low severity finding reported by XBOW that is currently
  in an open state. These findings represent minor security issues or best-practice
  violations that should be addressed as part of regular security maintenance. Each
  alert is deduplicated per finding so re-ingestion of the same finding does not
  produce duplicate incidents.  
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: Selected
    enabled: true
    groupByCustomDetails:
    - FindingID
    lookbackDuration: 24h
    reopenClosedIncident: false
  createIncident: true
name: XbowLowFindings
version: 1.0.1
kind: Scheduled
id: d2e4f1a8-7c9b-4356-8e0d-5a2b7c8e9f01
severity: Low

ARM