XbowCriticalHighFindings
| Id | f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678 |
| Rulename | XbowCriticalHighFindings |
| Description | Creates an incident for each Critical or High severity finding reported by XBOW that is currently in an open state. These findings represent the most severe security issues and require immediate attention. Each alert is deduplicated per finding so re-ingestion of the same finding does not produce duplicate incidents. |
| Severity | High |
| Tactics | InitialAccess Execution PrivilegeEscalation DefenseEvasion Impact |
| Techniques | T1190 |
| Required data connectors | XbowSecurityConnector |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowCriticalHighFindings.yaml |
| Version | 1.0.1 |
| Arm template | f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678.json |
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) in ('critical', 'high')
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: StartUrl
tactics:
- InitialAccess
- Execution
- PrivilegeEscalation
- DefenseEvasion
- Impact
requiredDataConnectors:
- dataTypes:
- XbowFindings_CL
- XbowAssets_CL
connectorId: XbowSecurityConnector
alertDetailsOverride:
alertDisplayNameFormat: 'XBOW {{Severity}}: {{FindingName}}'
alertDescriptionFormat: '{{Severity}} severity finding on {{AssetName}}. {{Summary}}'
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: 24h
groupByCustomDetails:
- FindingID
enabled: true
matchingMethod: Selected
createIncident: true
id: f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678
severity: High
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
customDetails:
FindingID: FindingId
AssetID: AssetId
FindingName: FindingName
AssetName: AssetName
OrganizationID: OrganizationId
Mitigations: Mitigations
CreatedAt: CreatedAt
State: State
Severity: Severity
query: |
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) in ('critical', 'high')
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowCriticalHighFindings.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.1
name: XbowCriticalHighFindings
queryFrequency: 30m
triggerThreshold: 0
relevantTechniques:
- T1190
description: |
Creates an incident for each Critical or High severity finding reported by XBOW that
is currently in an open state. These findings represent the most severe security issues
and require immediate attention. Each alert is deduplicated per finding so re-ingestion
of the same finding does not produce duplicate incidents.
triggerOperator: gt