Skip to content

Latest commit

 

History

History
99 lines (93 loc) · 5.56 KB

SentinelAnalyticsRuleNewCISAKnowExploitedVulnerabilityAdded.md

File metadata and controls

99 lines (93 loc) · 5.56 KB

Sentinel Analytics Rule: CISA Known Exploited Vulnerability Added

Query Information

Description

This analytics rule triggers when a new vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities).

Risk

Explain what risk this detection tries to cover

References

Sentinel

let PreviousAlertTriggers = SecurityIncident
    | where TimeGenerated > ago(24h)
    | where Title has_all ("CVE-", "CISA Known Exploited Vulnerabilitie Added")
    | distinct Title;
let KnowExploitesVulnsCISA = externaldata(CVEid: string, Vendor: string, Product: string, vulnerabilityName: string, DateAdded: datetime, Description: string, RequiredAction: string, dueDate: datetime, Notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded > startofday(now() - 1d)
| extend DueDateinDays = datetime_diff('day', dueDate, now())
| extend CreateIncident = iff (strcat(CVEid, " - CISA Known Exploited Vulnerabilitie Added") in (PreviousAlertTriggers), false, true)
| where CreateIncident == true
| project DateAdded, CVEid, Vendor, Product, Description, RequiredAction, Notes, DueDateinDays, dueDate

Sentinel Analytics Rule

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workspace": {
            "type": "String"
        }
    },
    "resources": [
        {
            "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9531b108-1928-4ada-bd96-52308174c7f0')]",
            "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9531b108-1928-4ada-bd96-52308174c7f0')]",
            "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
            "kind": "Scheduled",
            "apiVersion": "2023-12-01-preview",
            "properties": {
                "displayName": "CISA Known Exploited Vulnerability Added",
                "description": "This analytics rule triggers when a new vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities).",
                "severity": "Medium",
                "enabled": true,
                "query": "let PreviousAlertTriggers = SecurityIncident\n    | where TimeGenerated > ago(24h)\n    | where Title has_all (\"CVE-\", \"CISA Known Exploited Vulnerabilitie Added\")\n    | distinct Title;\nlet KnowExploitesVulnsCISA = externaldata(CVEid: string, Vendor: string, Product: string, vulnerabilityName: string, DateAdded: datetime, Description: string, RequiredAction: string, dueDate: datetime, Notes: string)[@\"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nKnowExploitesVulnsCISA\n| where DateAdded > startofday(now() - 1d)\n| extend DueDateinDays = datetime_diff('day', dueDate, now())\n| extend CreateIncident = iff (strcat(CVEid, \" - CISA Known Exploited Vulnerabilitie Added\") in (PreviousAlertTriggers), false, true)\n| where CreateIncident == true\n| project DateAdded, CVEid, Vendor, Product, Description, RequiredAction, Notes, DueDateinDays, dueDate",
                "queryFrequency": "PT10M",
                "queryPeriod": "P1D",
                "triggerOperator": "GreaterThan",
                "triggerThreshold": 0,
                "suppressionDuration": "PT5H",
                "suppressionEnabled": false,
                "startTimeUtc": null,
                "tactics": [],
                "techniques": [],
                "alertRuleTemplateName": null,
                "incidentConfiguration": {
                    "createIncident": true,
                    "groupingConfiguration": {
                        "enabled": true,
                        "reopenClosedIncident": false,
                        "lookbackDuration": "P1D",
                        "matchingMethod": "AllEntities",
                        "groupByEntities": [],
                        "groupByAlertDetails": [],
                        "groupByCustomDetails": []
                    }
                },
                "eventGroupingSettings": {
                    "aggregationKind": "AlertPerResult"
                },
                "alertDetailsOverride": {
                    "alertDisplayNameFormat": "{{CVEid}} - CISA Known Exploited Vulnerabilitie Added",
                    "alertDescriptionFormat": "<div style=\"background-color: ##000000;border-left: 6px solid #f44336;\"></p style=\"padding-left: 5px\"><strong> {{CVEid}} - {{Vendor}}</strong> </p></div>\n\nVulnerabilty description: {{Description}}  \n\nThis analytics rule triggers when a new vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities).",
                    "alertDynamicProperties": []
                },
                "customDetails": {
                    "CVEid": "CVEid",
                    "Vendor": "Vendor",
                    "Product": "Product"
                },
                "entityMappings": null,
                "sentinelEntitiesMappings": [
                    {
                        "columnName": "CVEid"
                    }
                ],
                "templateVersion": null,
                "subTechniques": []
            }
        }
    ]
}