Alerts_new_vulnerability
| where Service == "new_vulnerability"
| extend MappedSeverity = Severity
query: |
Alerts_new_vulnerability
| where Service == "new_vulnerability"
| extend MappedSeverity = Severity
tactics:
- InitialAccess
severity: Low
version: 1.0.0
customDetails:
Status: Status
AlertID: AlertID
MappedSeverity: Severity
NV_CVE: NV_CVE
Service: Service
requiredDataConnectors:
- dataTypes:
- CybleVisionAlerts_CL
connectorId: CybleVisionAlerts
incidentConfiguration:
alertDetailsOverride:
createIncident: true
description: |
A new vulnerability ({{NV_CVE}}) has been identified for one of the monitored keywords or assets. This CVE may pose risks depending on exposure and exploitability. Review CVE details and assess potential impact on your environment.
groupingConfiguration:
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
reopenClosedIncident: false
severityColumnName: MappedSeverity
alertDisplayNameFormat: New Vulnerability Identified {{NV_CVE}}
description: |
'A newly detected CVE has been associated with a monitored keyword or asset. This may indicate exposure to newly published or exploited vulnerabilities.'
kind: Scheduled
entityMappings:
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_new_vulnerability_rule.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
queryfrequency: 30m
name: Cyble Vision Alerts New Vulnerability Detected
enabled: true
status: Available
relevantTechniques:
- T1190
id: e52f36dd-7d4f-4aa8-a095-3b6fa2b28b8d
queryPeriod: 30m
triggerOperator: GreaterThan
triggerThreshold: 0
