let timeframe = 24h;
BitSightFindingsData
| where ingestion_time() > ago(timeframe)
| where RiskCategory == "Compromised Systems"
| extend Severity = toreal(Severity)
| extend Severity = case( Severity <= 6.9 and Severity >= 4.0, "Low",
Severity <= 8.9 and Severity >= 7.0, "Medium",
Severity <= 10.0 and Severity >= 9.0, "High",
"Informational")
| project FirstSeen, CompanyName, Severity, RiskCategory, RiskVector, TemporaryId
queryPeriod: 24h
query: |
let timeframe = 24h;
BitSightFindingsData
| where ingestion_time() > ago(timeframe)
| where RiskCategory == "Compromised Systems"
| extend Severity = toreal(Severity)
| extend Severity = case( Severity <= 6.9 and Severity >= 4.0, "Low",
Severity <= 8.9 and Severity >= 7.0, "Medium",
Severity <= 10.0 and Severity >= 9.0, "High",
"Informational")
| project FirstSeen, CompanyName, Severity, RiskCategory, RiskVector, TemporaryId
name: BitSight - compromised systems detected
entityMappings:
- fieldMappings:
- columnName: RiskVector
identifier: Name
- columnName: RiskCategory
identifier: Category
entityType: Malware
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightCompromisedSystemsDetected.yaml
alertDetailsOverride:
alertDisplayNameFormat: 'BitSight: Alert for {{RiskVector}} in {{CompanyName}} from BitSight'
alertDescriptionFormat: 'Alert is generated for {{CompanyName}}.\n\nRisk Vector: {{RiskVector}}\nTemporaryId: {{TemporaryId}}\nRisk Category: Compromised Systems'
alertSeverityColumnName: Severity
description: |
'Rule helps to detect whenever there is a compromised systems found in BitSight.'
kind: Scheduled
triggerOperator: GreaterThan
version: 1.0.1
status: Available
severity: Medium
requiredDataConnectors:
- connectorId: BitSight
dataTypes:
- BitSightFindingsData
requiredTechniques:
- T1203
triggerThreshold: 0
incidentConfiguration:
createIncident: true
tactics:
- Execution
id: d68b758a-b117-4cb8-8e1d-dcab5a4a2f21
