Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. BitSight - compromised systems detected

BitSight - compromised systems detected

Back
Idd68b758a-b117-4cb8-8e1d-dcab5a4a2f21
RulenameBitSight - compromised systems detected
DescriptionRule helps to detect whenever there is a compromised systems found in BitSight.
SeverityMedium
TacticsExecution
Required data connectorsBitSight
KindScheduled
Query frequency1d
Query period24h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightCompromisedSystemsDetected.yaml
Version1.0.1
Arm templated68b758a-b117-4cb8-8e1d-dcab5a4a2f21.json
Deploy To Azure
let timeframe = 24h;
BitSightFindingsData
| where ingestion_time() > ago(timeframe)
| where RiskCategory == "Compromised Systems"
| extend Severity = toreal(Severity)
| extend Severity = case( Severity <= 6.9 and Severity >= 4.0, "Low",
                          Severity <= 8.9 and Severity >= 7.0, "Medium",
                          Severity <= 10.0 and Severity >= 9.0, "High",
                          "Informational")
| project FirstSeen, CompanyName, Severity, RiskCategory, RiskVector, TemporaryId

eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- connectorId: BitSight
  dataTypes:
  - BitSightFindingsData
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BitSight/Analytic Rules/BitSightCompromisedSystemsDetected.yaml
triggerThreshold: 0
status: Available
queryPeriod: 24h
requiredTechniques:
- T1203
name: BitSight - compromised systems detected
entityMappings:
- entityType: Malware
  fieldMappings:
  - columnName: RiskVector
    identifier: Name
  - columnName: RiskCategory
    identifier: Category
alertDetailsOverride:
  alertSeverityColumnName: Severity
  alertDisplayNameFormat: 'BitSight: Alert for {{RiskVector}} in {{CompanyName}} from BitSight'
  alertDescriptionFormat: 'Alert is generated for {{CompanyName}}.\n\nRisk Vector: {{RiskVector}}\nTemporaryId: {{TemporaryId}}\nRisk Category: Compromised Systems'
queryFrequency: 1d
triggerOperator: GreaterThan
incidentConfiguration:
  createIncident: true
description: |
    'Rule helps to detect whenever there is a compromised systems found in BitSight.'
tactics:
- Execution
severity: Medium
version: 1.0.1
query: |
  let timeframe = 24h;
  BitSightFindingsData
  | where ingestion_time() > ago(timeframe)
  | where RiskCategory == "Compromised Systems"
  | extend Severity = toreal(Severity)
  | extend Severity = case( Severity <= 6.9 and Severity >= 4.0, "Low",
                            Severity <= 8.9 and Severity >= 7.0, "Medium",
                            Severity <= 10.0 and Severity >= 9.0, "High",
                            "Informational")
  | project FirstSeen, CompanyName, Severity, RiskCategory, RiskVector, TemporaryId  
id: d68b758a-b117-4cb8-8e1d-dcab5a4a2f21