Alerts_new_vulnerability
| where Service == "new_vulnerability"
| extend MappedSeverity = Severity
queryPeriod: 30m
description: |
'A newly detected CVE has been associated with a monitored keyword or asset. This may indicate exposure to newly published or exploited vulnerabilities.'
relevantTechniques:
- T1190
triggerThreshold: 0
customDetails:
Service: Service
NV_CVE: NV_CVE
MappedSeverity: Severity
AlertID: AlertID
Status: Status
id: e52f36dd-7d4f-4aa8-a095-3b6fa2b28b8d
queryfrequency: 30m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_new_vulnerability_rule.yaml
incidentConfiguration:
alertDetailsOverride:
groupingConfiguration:
enabled: false
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: PT5H
createIncident: true
severityColumnName: MappedSeverity
description: |
A new vulnerability ({{NV_CVE}}) has been identified for one of the monitored keywords or assets. This CVE may pose risks depending on exposure and exploitability. Review CVE details and assess potential impact on your environment.
alertDisplayNameFormat: New Vulnerability Identified {{NV_CVE}}
query: |
Alerts_new_vulnerability
| where Service == "new_vulnerability"
| extend MappedSeverity = Severity
entityMappings:
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerOperator: GreaterThan
tactics:
- InitialAccess
status: Available
name: Cyble Vision Alerts New Vulnerability Detected
version: 1.0.0
severity: Low
requiredDataConnectors:
- connectorId: CybleVisionAlerts
dataTypes:
- CybleVisionAlerts_CL
kind: Scheduled
enabled: true
