XbowCriticalHighFindings
| Id | f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678 |
| Rulename | XbowCriticalHighFindings |
| Description | Creates an incident for each Critical or High severity finding reported by XBOW that is currently in an open state. These findings represent the most severe security issues and require immediate attention. Each alert is deduplicated per finding so re-ingestion of the same finding does not produce duplicate incidents. |
| Severity | High |
| Tactics | InitialAccess Execution PrivilegeEscalation DefenseEvasion Impact |
| Techniques | T1190 |
| Required data connectors | XbowSecurityConnector |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowCriticalHighFindings.yaml |
| Version | 1.0.0 |
| Arm template | f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678.json |
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) in ('critical', 'high')
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
relevantTechniques:
- T1190
entityMappings:
- entityType: URL
fieldMappings:
- columnName: StartUrl
identifier: Url
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.0
id: f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678
severity: High
kind: Scheduled
queryFrequency: 30m
description: |
Creates an incident for each Critical or High severity finding reported by XBOW that
is currently in an open state. These findings represent the most severe security issues
and require immediate attention. Each alert is deduplicated per finding so re-ingestion
of the same finding does not produce duplicate incidents.
requiredDataConnectors:
- connectorId: XbowSecurityConnector
dataTypes:
- XbowFindings_CL
- XbowAssets_CL
triggerOperator: gt
name: XbowCriticalHighFindings
tactics:
- InitialAccess
- Execution
- PrivilegeEscalation
- DefenseEvasion
- Impact
alertDetailsOverride:
alertDescriptionFormat: '{{Severity}} severity finding on {{AssetName}}. {{Summary}}'
alertDisplayNameFormat: 'XBOW {{Severity}}: {{FindingName}}'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/XBOW/Analytic Rules/XbowCriticalHighFindings.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
XbowFindings_CL
| where TimeGenerated > ago(1h)
| where tolower(Severity) in ('critical', 'high')
| where isempty(State) or tolower(State) == 'open'
| summarize arg_max(TimeGenerated, *) by FindingId
| join kind=leftouter (
XbowAssets_CL
| summarize arg_max(TimeGenerated, *) by AssetId
| project AssetId, StartUrl
) on AssetId
| project
TimeGenerated,
FindingId,
FindingName,
Severity,
State,
Summary,
Impact,
Mitigations,
Recipe,
AssetId,
AssetName,
OrganizationId,
CreatedAt,
StartUrl
status: Available
customDetails:
OrganizationId: OrganizationId
FindingName: FindingName
AssetId: AssetId
State: State
Severity: Severity
AssetName: AssetName
Mitigations: Mitigations
FindingId: FindingId
CreatedAt: CreatedAt
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: Selected
groupByEntities: []
groupByCustomDetails:
- FindingId
groupByAlertDetails: []
reopenClosedIncident: false
enabled: true
lookbackDuration: 24h