blacklens Insights

blacklens_CL
| summarize arg_max(TimeGenerated, *) by id
| extend AlertSeverity = case(
    tolower(severity) == "critical", "High",
    tolower(severity) == "high", "High",
    tolower(severity) == "medium", "Medium",
    tolower(severity) == "low", "Low",
    "Informational"
)

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Blacklens/Analytic Rules/blacklensInsights.yaml
query: |
  blacklens_CL
  | summarize arg_max(TimeGenerated, *) by id
  | extend AlertSeverity = case(
      tolower(severity) == "critical", "High",
      tolower(severity) == "high", "High",
      tolower(severity) == "medium", "Medium",
      tolower(severity) == "low", "Low",
      "Informational"
  )  
suppressionDuration: PT1H
suppressionEnabled: false
kind: NRT
entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: link
requiredDataConnectors:
- dataTypes:
  - blacklens_CL
  connectorId: blacklens_io
tactics:
- Reconnaissance
- ResourceDevelopment
- InitialAccess
- CredentialAccess
- Collection
- Exfiltration
- DefenseEvasion
- CommandAndControl
version: 1.0.0
description: |
    'Creates incidents from blacklens.io Attack Surface Management alerts ingested into the blacklens_CL table. Alert severity is mapped dynamically from the source data.'
severity: High
alertDetailsOverride:
  alertDisplayNameFormat: '{{alert_title}}'
  alertSeverityColumnName: AlertSeverity
  alertDescriptionFormat: '{{message}}'
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
name: blacklens Insights
id: e261b70a-3005-4a1b-a7a2-2c8147fafed7
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
relevantTechniques:
- T1595
- T1583
- T1190
- T1110
- T1005
- T1041
- T1562
- T1071