Alerts_new_vulnerability
| where Service == "new_vulnerability"
| extend MappedSeverity = Severity
description: |
'A newly detected CVE has been associated with a monitored keyword or asset. This may indicate exposure to newly published or exploited vulnerabilities.'
version: 1.0.0
tactics:
- InitialAccess
queryfrequency: 30m
query: |
Alerts_new_vulnerability
| where Service == "new_vulnerability"
| extend MappedSeverity = Severity
status: Available
triggerOperator: GreaterThan
kind: Scheduled
triggerThreshold: 0
customDetails:
Status: Status
MappedSeverity: Severity
Service: Service
AlertID: AlertID
NV_CVE: NV_CVE
enabled: true
relevantTechniques:
- T1190
id: e52f36dd-7d4f-4aa8-a095-3b6fa2b28b8d
queryPeriod: 30m
entityMappings:
eventGroupingSettings:
aggregationKind: AlertPerResult
severity: Low
name: Cyble Vision Alerts New Vulnerability Detected
incidentConfiguration:
severityColumnName: MappedSeverity
alertDisplayNameFormat: New Vulnerability Identified {{NV_CVE}}
alertDetailsOverride:
description: |
A new vulnerability ({{NV_CVE}}) has been identified for one of the monitored keywords or assets. This CVE may pose risks depending on exposure and exploitability. Review CVE details and assess potential impact on your environment.
groupingConfiguration:
lookbackDuration: PT5H
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_new_vulnerability_rule.yaml
requiredDataConnectors:
- dataTypes:
- CybleVisionAlerts_CL
connectorId: CybleVisionAlerts
