blacklens Insights

blacklens_CL
| summarize arg_max(TimeGenerated, *) by id
| extend AlertSeverity = case(
    tolower(severity) == "critical", "High",
    tolower(severity) == "high", "High",
    tolower(severity) == "medium", "Medium",
    tolower(severity) == "low", "Low",
    "Informational"
)

entityMappings:
- fieldMappings:
  - columnName: link
    identifier: Url
  entityType: URL
alertDetailsOverride:
  alertSeverityColumnName: AlertSeverity
  alertDescriptionFormat: '{{message}}'
  alertDisplayNameFormat: '{{alert_title}}'
tactics:
- Reconnaissance
- ResourceDevelopment
- InitialAccess
- CredentialAccess
- Collection
- Exfiltration
- DefenseEvasion
- CommandAndControl
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    enabled: false
suppressionDuration: PT1H
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Blacklens/Analytic Rules/blacklensInsights.yaml
status: Available
version: 1.0.0
relevantTechniques:
- T1595
- T1583
- T1190
- T1110
- T1005
- T1041
- T1562
- T1071
query: |
  blacklens_CL
  | summarize arg_max(TimeGenerated, *) by id
  | extend AlertSeverity = case(
      tolower(severity) == "critical", "High",
      tolower(severity) == "high", "High",
      tolower(severity) == "medium", "Medium",
      tolower(severity) == "low", "Low",
      "Informational"
  )  
severity: High
kind: NRT
name: blacklens Insights
id: e261b70a-3005-4a1b-a7a2-2c8147fafed7
description: |
    'Creates incidents from blacklens.io Attack Surface Management alerts ingested into the blacklens_CL table. Alert severity is mapped dynamically from the source data.'
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
  - blacklens_CL
  connectorId: blacklens_io