XbowCriticalHighFindings
| Id | f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678 |
| Rulename | XbowCriticalHighFindings |
| Description | Creates an incident for each Critical or High severity finding reported by XBOW that is currently in an open state. These findings represent the most severe security issues and require immediate attention. Each alert is deduplicated per finding so re-ingestion of the same finding does not produce duplicate incidents. |
| Severity | High |
| Tactics | InitialAccess Execution PrivilegeEscalation DefenseEvasion Impact |
| Techniques | T1190 |
| Required data connectors | XbowSecurityConnector |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowCriticalHighFindings.yaml |
| Version | 1.0.1 |
| Arm template | f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678.json |
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) in ('critical', 'high')
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
status: Available
queryFrequency: 30m
queryPeriod: 1h
triggerOperator: gt
query: |
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) in ('critical', 'high')
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowCriticalHighFindings.yaml
tactics:
- InitialAccess
- Execution
- PrivilegeEscalation
- DefenseEvasion
- Impact
triggerThreshold: 0
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: StartUrl
requiredDataConnectors:
- connectorId: XbowSecurityConnector
dataTypes:
- XbowFindings_CL
- XbowAssets_CL
alertDetailsOverride:
alertDescriptionFormat: '{{Severity}} severity finding on {{AssetName}}. {{Summary}}'
alertDisplayNameFormat: 'XBOW {{Severity}}: {{FindingName}}'
relevantTechniques:
- T1190
customDetails:
Severity: Severity
Mitigations: Mitigations
AssetID: AssetId
OrganizationID: OrganizationId
FindingName: FindingName
CreatedAt: CreatedAt
FindingID: FindingId
AssetName: AssetName
State: State
description: |
Creates an incident for each Critical or High severity finding reported by XBOW that
is currently in an open state. These findings represent the most severe security issues
and require immediate attention. Each alert is deduplicated per finding so re-ingestion
of the same finding does not produce duplicate incidents.
incidentConfiguration:
groupingConfiguration:
matchingMethod: Selected
enabled: true
groupByCustomDetails:
- FindingID
lookbackDuration: 24h
reopenClosedIncident: false
createIncident: true
name: XbowCriticalHighFindings
version: 1.0.1
kind: Scheduled
id: f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678
severity: High