Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. BitSight - compromised systems detected

BitSight - compromised systems detected

Back
Idd68b758a-b117-4cb8-8e1d-dcab5a4a2f21
RulenameBitSight - compromised systems detected
DescriptionRule helps to detect whenever there is a compromised systems found in BitSight.
SeverityMedium
TacticsExecution
TechniquesT1203
Required data connectorsBitSight
KindScheduled
Query frequency1d
Query period24h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightCompromisedSystemsDetected.yaml
Version1.0.2
Arm templated68b758a-b117-4cb8-8e1d-dcab5a4a2f21.json
Deploy To Azure
let timeframe = 24h;
BitSightFindingsData
| where ingestion_time() > ago(timeframe)
| where RiskCategory == "Compromised Systems"
| extend Severity = toreal(Severity)
| extend Severity = case( Severity <= 6.9 and Severity >= 4.0, "Low",
                          Severity <= 8.9 and Severity >= 7.0, "Medium",
                          Severity <= 10.0 and Severity >= 9.0, "High",
                          "Informational")
| project FirstSeen, CompanyName, Severity, RiskCategory, RiskVector, TemporaryId

eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
entityMappings:
- entityType: Malware
  fieldMappings:
  - identifier: Name
    columnName: RiskVector
  - identifier: Category
    columnName: RiskCategory
requiredDataConnectors:
- dataTypes:
  - BitSightFindingsData
  connectorId: BitSight
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightCompromisedSystemsDetected.yaml
incidentConfiguration:
  createIncident: true
name: BitSight - compromised systems detected
alertDetailsOverride:
  alertDisplayNameFormat: 'BitSight: Alert for {{RiskVector}} in {{CompanyName}} from BitSight'
  alertSeverityColumnName: Severity
  alertDescriptionFormat: 'Alert is generated for {{CompanyName}}.\n\nRisk Vector: {{RiskVector}}\nTemporaryId: {{TemporaryId}}\nRisk Category: Compromised Systems'
relevantTechniques:
- T1203
status: Available
version: 1.0.2
queryPeriod: 24h
kind: Scheduled
id: d68b758a-b117-4cb8-8e1d-dcab5a4a2f21
query: |
  let timeframe = 24h;
  BitSightFindingsData
  | where ingestion_time() > ago(timeframe)
  | where RiskCategory == "Compromised Systems"
  | extend Severity = toreal(Severity)
  | extend Severity = case( Severity <= 6.9 and Severity >= 4.0, "Low",
                            Severity <= 8.9 and Severity >= 7.0, "Medium",
                            Severity <= 10.0 and Severity >= 9.0, "High",
                            "Informational")
  | project FirstSeen, CompanyName, Severity, RiskCategory, RiskVector, TemporaryId  
description: |
    'Rule helps to detect whenever there is a compromised systems found in BitSight.'
queryFrequency: 1d
severity: Medium
triggerOperator: GreaterThan
tactics:
- Execution