Alerts_new_vulnerability
| where Service == "new_vulnerability"
| extend MappedSeverity = Severity
customDetails:
Status: Status
Service: Service
NV_CVE: NV_CVE
MappedSeverity: Severity
AlertID: AlertID
severity: Low
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_new_vulnerability_rule.yaml
query: |
Alerts_new_vulnerability
| where Service == "new_vulnerability"
| extend MappedSeverity = Severity
requiredDataConnectors:
- dataTypes:
- CybleVisionAlerts_CL
connectorId: CybleVisionAlerts
incidentConfiguration:
alertDetailsOverride:
alertDisplayNameFormat: New Vulnerability Identified {{NV_CVE}}
description: |
A new vulnerability ({{NV_CVE}}) has been identified for one of the monitored keywords or assets. This CVE may pose risks depending on exposure and exploitability. Review CVE details and assess potential impact on your environment.
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
enabled: false
matchingMethod: AllEntities
lookbackDuration: PT5H
severityColumnName: MappedSeverity
relevantTechniques:
- T1190
kind: Scheduled
name: Cyble Vision Alerts New Vulnerability Detected
tactics:
- InitialAccess
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
enabled: true
queryfrequency: 30m
description: |
'A newly detected CVE has been associated with a monitored keyword or asset. This may indicate exposure to newly published or exploited vulnerabilities.'
triggerThreshold: 0
triggerOperator: GreaterThan
version: 1.0.0
queryPeriod: 30m
id: e52f36dd-7d4f-4aa8-a095-3b6fa2b28b8d
