Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dynatrace Application Security - Non-critical runtime vulnerability detection

Back
Idff0af873-a2f2-4233-8412-0ef4e00b0156
RulenameDynatrace Application Security - Non-critical runtime vulnerability detection
DescriptionDetect runtime vulnerabilities in your environment insights by snyk
SeverityInformational
TacticsDefenseEvasion
Execution
Impact
InitialAccess
LateralMovement
Persistence
PrivilegeEscalation
Required data connectorsDynatraceRuntimeVulnerabilities
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_NonCriticalVulnerabilityDetection.yaml
Version1.0.2
Arm templateff0af873-a2f2-4233-8412-0ef4e00b0156.json
Deploy To Azure
DynatraceSecurityProblems
| where DAVISRiskLevel != "CRITICAL"  and Muted == false
| summarize  arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId
name: Dynatrace Application Security - Non-critical runtime vulnerability detection
alertDetailsOverride:
  alertDisplayNameFormat: 'Dynatrace Non-critical runtime vulnerability detected - {{DisplayId}} : {{Title}}'
  alertSeverityColumnName: Severity
  alertDescriptionFormat: |
        Non-critical runtime vulnerability ({{ExternalVulnerabilityId}}) detected in package ({{PackageName}}), more details available from Dynatrace at {{Url}}.
description: Detect runtime vulnerabilities in your environment insights by snyk
requiredTechniques:
- T1140
- T1059
- T1565
- T1659
- T1210
- T1554
- T1548
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_NonCriticalVulnerabilityDetection.yaml
version: 1.0.2
triggerThreshold: 0
queryFrequency: 1d
incidentConfiguration:
  createIncident: false
  groupingConfiguration:
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
    reopenClosedIncident: false
kind: Scheduled
triggerOperator: gt
customDetails:
  DAVISExposure: DAVISExposure
  DAVISDataAssets: DAVISDataAssets
  DAVISVulnFuncUsage: DAVISVulnerableFunctionUsage
  DAVISRiskVector: DAVISRiskVector
  PackageName: PackageName
  DAVISRiskLevel: DAVISRiskLevel
  SecProbIdentifier: SecurityProblemId
  DAVISPublicExploit: DAVISPublicExploit
  SecurityProblemUrl: Url
  ExternVulnIdentifier: ExternalVulnerabilityId
  CVEIds: CVEIds
  DisplayIdentifier: DisplayId
  DAVISRiskScore: DAVISRiskScore
  VulnerabilityType: VulnerabilityType
  Technology: Technology
tactics:
- DefenseEvasion
- Execution
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- connectorId: DynatraceRuntimeVulnerabilities
  dataTypes:
  - DynatraceSecurityProblems
severity: Informational
queryPeriod: 1d
status: Available
query: |
  DynatraceSecurityProblems
  | where DAVISRiskLevel != "CRITICAL"  and Muted == false
  | summarize  arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId  
id: ff0af873-a2f2-4233-8412-0ef4e00b0156
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ff0af873-a2f2-4233-8412-0ef4e00b0156')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ff0af873-a2f2-4233-8412-0ef4e00b0156')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Non-critical runtime vulnerability ({{ExternalVulnerabilityId}}) detected in package ({{PackageName}}), more details available from Dynatrace at {{Url}}.\n",
          "alertDisplayNameFormat": "Dynatrace Non-critical runtime vulnerability detected - {{DisplayId}} : {{Title}}",
          "alertSeverityColumnName": "Severity"
        },
        "alertRuleTemplateName": "ff0af873-a2f2-4233-8412-0ef4e00b0156",
        "customDetails": {
          "CVEIds": "CVEIds",
          "DAVISDataAssets": "DAVISDataAssets",
          "DAVISExposure": "DAVISExposure",
          "DAVISPublicExploit": "DAVISPublicExploit",
          "DAVISRiskLevel": "DAVISRiskLevel",
          "DAVISRiskScore": "DAVISRiskScore",
          "DAVISRiskVector": "DAVISRiskVector",
          "DAVISVulnFuncUsage": "DAVISVulnerableFunctionUsage",
          "DisplayIdentifier": "DisplayId",
          "ExternVulnIdentifier": "ExternalVulnerabilityId",
          "PackageName": "PackageName",
          "SecProbIdentifier": "SecurityProblemId",
          "SecurityProblemUrl": "Url",
          "Technology": "Technology",
          "VulnerabilityType": "VulnerabilityType"
        },
        "description": "Detect runtime vulnerabilities in your environment insights by snyk",
        "displayName": "Dynatrace Application Security - Non-critical runtime vulnerability detection",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": false,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_NonCriticalVulnerabilityDetection.yaml",
        "query": "DynatraceSecurityProblems\n| where DAVISRiskLevel != \"CRITICAL\"  and Muted == false\n| summarize  arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "requiredTechniques": [
          "T1140",
          "T1059",
          "T1565",
          "T1659",
          "T1210",
          "T1554",
          "T1548"
        ],
        "severity": "Informational",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Execution",
          "Impact",
          "InitialAccess",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}