Alerts_new_vulnerability
| where Service == "new_vulnerability"
| extend MappedSeverity = Severity
entityMappings:
tactics:
- InitialAccess
requiredDataConnectors:
- dataTypes:
- CybleVisionAlerts_CL
connectorId: CybleVisionAlerts
incidentConfiguration:
severityColumnName: MappedSeverity
createIncident: true
groupingConfiguration:
enabled: false
lookbackDuration: PT5H
reopenClosedIncident: false
matchingMethod: AllEntities
alertDetailsOverride:
alertDisplayNameFormat: New Vulnerability Identified {{NV_CVE}}
description: |
A new vulnerability ({{NV_CVE}}) has been identified for one of the monitored keywords or assets. This CVE may pose risks depending on exposure and exploitability. Review CVE details and assess potential impact on your environment.
id: e52f36dd-7d4f-4aa8-a095-3b6fa2b28b8d
severity: Low
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
customDetails:
AlertID: AlertID
MappedSeverity: Severity
Service: Service
NV_CVE: NV_CVE
Status: Status
query: |
Alerts_new_vulnerability
| where Service == "new_vulnerability"
| extend MappedSeverity = Severity
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_new_vulnerability_rule.yaml
kind: Scheduled
queryPeriod: 30m
enabled: true
version: 1.0.0
name: Cyble Vision Alerts New Vulnerability Detected
queryfrequency: 30m
triggerThreshold: 0
relevantTechniques:
- T1190
description: |
'A newly detected CVE has been associated with a monitored keyword or asset. This may indicate exposure to newly published or exploited vulnerabilities.'
triggerOperator: GreaterThan