blacklens Insights

blacklens_CL
| summarize arg_max(TimeGenerated, *) by id
| extend AlertSeverity = case(
    tolower(severity) == "critical", "High",
    tolower(severity) == "high", "High",
    tolower(severity) == "medium", "Medium",
    tolower(severity) == "low", "Low",
    "Informational"
)

suppressionDuration: PT1H
kind: NRT
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
relevantTechniques:
- T1595
- T1583
- T1190
- T1110
- T1005
- T1041
- T1562
- T1071
entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: link
id: e261b70a-3005-4a1b-a7a2-2c8147fafed7
requiredDataConnectors:
- connectorId: blacklens_io
  dataTypes:
  - blacklens_CL
alertDetailsOverride:
  alertSeverityColumnName: AlertSeverity
  alertDescriptionFormat: '{{message}}'
  alertDisplayNameFormat: '{{alert_title}}'
tactics:
- Reconnaissance
- ResourceDevelopment
- InitialAccess
- CredentialAccess
- Collection
- Exfiltration
- DefenseEvasion
- CommandAndControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Blacklens/Analytic Rules/blacklensInsights.yaml
status: Available
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
    'Creates incidents from blacklens.io Attack Surface Management alerts ingested into the blacklens_CL table. Alert severity is mapped dynamically from the source data.'
suppressionEnabled: false
severity: High
name: blacklens Insights
query: |
  blacklens_CL
  | summarize arg_max(TimeGenerated, *) by id
  | extend AlertSeverity = case(
      tolower(severity) == "critical", "High",
      tolower(severity) == "high", "High",
      tolower(severity) == "medium", "Medium",
      tolower(severity) == "low", "Low",
      "Informational"
  )  
version: 1.0.0