blacklens Insights

blacklens_CL
| summarize arg_max(TimeGenerated, *) by id
| extend AlertSeverity = case(
    tolower(severity) == "critical", "High",
    tolower(severity) == "high", "High",
    tolower(severity) == "medium", "Medium",
    tolower(severity) == "low", "Low",
    "Informational"
)

name: blacklens Insights
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
  createIncident: true
query: |
  blacklens_CL
  | summarize arg_max(TimeGenerated, *) by id
  | extend AlertSeverity = case(
      tolower(severity) == "critical", "High",
      tolower(severity) == "high", "High",
      tolower(severity) == "medium", "Medium",
      tolower(severity) == "low", "Low",
      "Informational"
  )  
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: link
    identifier: Url
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Blacklens/Analytic Rules/blacklensInsights.yaml
suppressionEnabled: false
tactics:
- Reconnaissance
- ResourceDevelopment
- InitialAccess
- CredentialAccess
- Collection
- Exfiltration
- DefenseEvasion
- CommandAndControl
suppressionDuration: PT1H
kind: NRT
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.0
alertDetailsOverride:
  alertDescriptionFormat: '{{message}}'
  alertSeverityColumnName: AlertSeverity
  alertDisplayNameFormat: '{{alert_title}}'
relevantTechniques:
- T1595
- T1583
- T1190
- T1110
- T1005
- T1041
- T1562
- T1071
id: e261b70a-3005-4a1b-a7a2-2c8147fafed7
severity: High
requiredDataConnectors:
- connectorId: blacklens_io
  dataTypes:
  - blacklens_CL
status: Available
description: |
    'Creates incidents from blacklens.io Attack Surface Management alerts ingested into the blacklens_CL table. Alert severity is mapped dynamically from the source data.'