XbowCriticalHighFindings
| Id | f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678 |
| Rulename | XbowCriticalHighFindings |
| Description | Creates an incident for each Critical or High severity finding reported by XBOW that is currently in an open state. These findings represent the most severe security issues and require immediate attention. Each alert is deduplicated per finding so re-ingestion of the same finding does not produce duplicate incidents. |
| Severity | High |
| Tactics | InitialAccess Execution PrivilegeEscalation DefenseEvasion Impact |
| Techniques | T1190 |
| Required data connectors | XbowSecurityConnector |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowCriticalHighFindings.yaml |
| Version | 1.0.0 |
| Arm template | f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678.json |
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) in ('critical', 'high')
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowCriticalHighFindings.yaml
query: |
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) in ('critical', 'high')
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: StartUrl
kind: Scheduled
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- XbowFindings_CL
- XbowAssets_CL
connectorId: XbowSecurityConnector
tactics:
- InitialAccess
- Execution
- PrivilegeEscalation
- DefenseEvasion
- Impact
triggerThreshold: 0
description: |
Creates an incident for each Critical or High severity finding reported by XBOW that
is currently in an open state. These findings represent the most severe security issues
and require immediate attention. Each alert is deduplicated per finding so re-ingestion
of the same finding does not produce duplicate incidents.
queryPeriod: 1h
version: 1.0.0
queryFrequency: 30m
severity: High
alertDetailsOverride:
alertDisplayNameFormat: 'XBOW {{Severity}}: {{FindingName}}'
alertDescriptionFormat: '{{Severity}} severity finding on {{AssetName}}. {{Summary}}'
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByEntities: []
reopenClosedIncident: false
groupByAlertDetails: []
matchingMethod: Selected
lookbackDuration: 24h
groupByCustomDetails:
- FindingId
enabled: true
customDetails:
AssetName: AssetName
State: State
OrganizationId: OrganizationId
CreatedAt: CreatedAt
FindingId: FindingId
AssetId: AssetId
Mitigations: Mitigations
Severity: Severity
FindingName: FindingName
name: XbowCriticalHighFindings
id: f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
relevantTechniques:
- T1190