Alerts_new_vulnerability
| where Service == "new_vulnerability"
| extend MappedSeverity = Severity
version: 1.0.0
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |
Alerts_new_vulnerability
| where Service == "new_vulnerability"
| extend MappedSeverity = Severity
queryPeriod: 30m
status: Available
kind: Scheduled
enabled: true
relevantTechniques:
- T1190
tactics:
- InitialAccess
triggerOperator: GreaterThan
queryfrequency: 30m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_new_vulnerability_rule.yaml
entityMappings:
name: Cyble Vision Alerts New Vulnerability Detected
triggerThreshold: 0
severity: Low
incidentConfiguration:
alertDetailsOverride:
description: |
A new vulnerability ({{NV_CVE}}) has been identified for one of the monitored keywords or assets. This CVE may pose risks depending on exposure and exploitability. Review CVE details and assess potential impact on your environment.
alertDisplayNameFormat: New Vulnerability Identified {{NV_CVE}}
groupingConfiguration:
reopenClosedIncident: false
enabled: false
lookbackDuration: PT5H
matchingMethod: AllEntities
createIncident: true
severityColumnName: MappedSeverity
id: e52f36dd-7d4f-4aa8-a095-3b6fa2b28b8d
customDetails:
Service: Service
MappedSeverity: Severity
AlertID: AlertID
Status: Status
NV_CVE: NV_CVE
description: |
'A newly detected CVE has been associated with a monitored keyword or asset. This may indicate exposure to newly published or exploited vulnerabilities.'
requiredDataConnectors:
- connectorId: CybleVisionAlerts
dataTypes:
- CybleVisionAlerts_CL
