45 строки
1.6 KiB
YAML
45 строки
1.6 KiB
YAML
id: d68b758a-b117-4cb8-8e1d-dcab5a4a2f21
|
|
name: BitSight - compromised systems detected
|
|
description: |
|
|
'Rule helps to detect whenever there is a compromised systems found in BitSight.'
|
|
severity: Medium
|
|
status: Available
|
|
requiredDataConnectors:
|
|
- connectorId: BitSight
|
|
dataTypes:
|
|
- BitSightFindingsData
|
|
queryFrequency: 1d
|
|
queryPeriod: 24h
|
|
triggerOperator: GreaterThan
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- Execution
|
|
query: |
|
|
let timeframe = 24h;
|
|
BitSightFindingsData
|
|
| where ingestion_time() > ago(timeframe)
|
|
| where RiskCategory == "Compromised Systems"
|
|
| extend Severity = toreal(Severity)
|
|
| extend Severity = case( Severity <= 6.9 and Severity >= 4.0, "Low",
|
|
Severity <= 8.9 and Severity >= 7.0, "Medium",
|
|
Severity <= 10.0 and Severity >= 9.0, "High",
|
|
"Informational")
|
|
| project FirstSeen, CompanyName, Severity, RiskCategory, RiskVector, TemporaryId
|
|
incidentConfiguration:
|
|
createIncident: true
|
|
eventGroupingSettings:
|
|
aggregationKind: AlertPerResult
|
|
alertDetailsOverride:
|
|
alertDisplayNameFormat: 'BitSight: Alert for {{RiskVector}} in {{CompanyName}} from BitSight'
|
|
alertDescriptionFormat: 'Alert is generated for {{CompanyName}}.\n\nRisk Vector: {{RiskVector}}\nTemporaryId: {{TemporaryId}}\nRisk Category: Compromised Systems'
|
|
alertSeverityColumnName: Severity
|
|
entityMappings:
|
|
- entityType: Malware
|
|
fieldMappings:
|
|
- identifier: Name
|
|
columnName: RiskVector
|
|
- identifier: Category
|
|
columnName: RiskCategory
|
|
version: 1.0.0
|
|
kind: Scheduled
|