BloodHound Enterprise - Number of critical attack paths increase

BloodHoundEnterprise
| where data_type == "posture"
| where created_at > ago (7d)
| summarize min_critical_risk_count = min(critical_risk_count), arg_max(created_at, current_critical_risk_count = critical_risk_count) by domain_name
| extend  difference = current_critical_risk_count - min_critical_risk_count
| where difference > 0

relevantTechniques: []
name: BloodHound Enterprise - Number of critical attack paths increase
requiredDataConnectors:
- dataTypes:
  - BloodHoundEnterprise
  connectorId: BloodHoundEnterprise
entityMappings:
- fieldMappings:
  - identifier: DomainName
    displayName: domain_name
  entityType: DNS
triggerThreshold: 0
id: df292d06-f348-41ad-b780-0abb5acfe9ab
tactics: []
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound Enterprise/Analytic Rules/BloodHoundEnterpriseCriticalAttackPaths.yaml
queryPeriod: 7d
kind: Scheduled
queryFrequency: 7d
severity: Medium
status: Available
description: |
    'The number of critical attack paths has increased over the past 7 days.'
query: |
  BloodHoundEnterprise
  | where data_type == "posture"
  | where created_at > ago (7d)
  | summarize min_critical_risk_count = min(critical_risk_count), arg_max(created_at, current_critical_risk_count = critical_risk_count) by domain_name
  | extend  difference = current_critical_risk_count - min_critical_risk_count
  | where difference > 0  
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/df292d06-f348-41ad-b780-0abb5acfe9ab')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/df292d06-f348-41ad-b780-0abb5acfe9ab')]",
      "properties": {
        "alertRuleTemplateName": "df292d06-f348-41ad-b780-0abb5acfe9ab",
        "customDetails": null,
        "description": "'The number of critical attack paths has increased over the past 7 days.'\n",
        "displayName": "BloodHound Enterprise - Number of critical attack paths increase",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "displayName": "domain_name",
                "identifier": "DomainName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound Enterprise/Analytic Rules/BloodHoundEnterpriseCriticalAttackPaths.yaml",
        "query": "BloodHoundEnterprise\n| where data_type == \"posture\"\n| where created_at > ago (7d)\n| summarize min_critical_risk_count = min(critical_risk_count), arg_max(created_at, current_critical_risk_count = critical_risk_count) by domain_name\n| extend  difference = current_critical_risk_count - min_critical_risk_count\n| where difference > 0\n",
        "queryFrequency": "P7D",
        "queryPeriod": "P7D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}