Alerts_new_vulnerability
| where Service == "new_vulnerability"
| extend MappedSeverity = Severity
name: Cyble Vision Alerts New Vulnerability Detected
query: |
Alerts_new_vulnerability
| where Service == "new_vulnerability"
| extend MappedSeverity = Severity
queryfrequency: 30m
triggerOperator: GreaterThan
requiredDataConnectors:
- dataTypes:
- CybleVisionAlerts_CL
connectorId: CybleVisionAlerts
tactics:
- InitialAccess
status: Available
incidentConfiguration:
alertDetailsOverride:
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: PT5H
enabled: false
severityColumnName: MappedSeverity
alertDisplayNameFormat: New Vulnerability Identified {{NV_CVE}}
description: |
A new vulnerability ({{NV_CVE}}) has been identified for one of the monitored keywords or assets. This CVE may pose risks depending on exposure and exploitability. Review CVE details and assess potential impact on your environment.
createIncident: true
enabled: true
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_new_vulnerability_rule.yaml
description: |
'A newly detected CVE has been associated with a monitored keyword or asset. This may indicate exposure to newly published or exploited vulnerabilities.'
version: 1.0.0
customDetails:
NV_CVE: NV_CVE
Service: Service
MappedSeverity: Severity
Status: Status
AlertID: AlertID
kind: Scheduled
relevantTechniques:
- T1190
entityMappings:
severity: Low
id: e52f36dd-7d4f-4aa8-a095-3b6fa2b28b8d
queryPeriod: 30m
