id: f8e7d6c5-4b3a-4912-8f0e-2d1c3b4a5678 name: XbowCriticalHighFindings description: | Creates an incident for each Critical or High severity finding reported by XBOW that is currently in an open state. These findings represent the most severe security issues and require immediate attention. Each alert is deduplicated per finding so re-ingestion of the same finding does not produce duplicate incidents. severity: High status: Available requiredDataConnectors: - connectorId: XbowSecurityConnector dataTypes: - XbowFindings_CL - XbowAssets_CL queryFrequency: 30m queryPeriod: 1h triggerOperator: gt triggerThreshold: 0 tactics: - InitialAccess - Execution - PrivilegeEscalation - DefenseEvasion - Impact relevantTechniques: - T1190 query: | XbowFindings_CL | where TimeGenerated > ago(1h) | where tolower(Severity) in ('critical', 'high') | where isempty(State) or tolower(State) == 'open' | summarize arg_max(TimeGenerated, *) by FindingId | join kind=leftouter ( XbowAssets_CL | summarize arg_max(TimeGenerated, *) by AssetId | project AssetId, StartUrl ) on AssetId | project TimeGenerated, FindingId, FindingName, Severity, State, Summary, Impact, Mitigations, Recipe, AssetId, AssetName, OrganizationId, CreatedAt, StartUrl eventGroupingSettings: aggregationKind: AlertPerResult alertDetailsOverride: alertDisplayNameFormat: 'XBOW {{Severity}}: {{FindingName}}' alertDescriptionFormat: '{{Severity}} severity finding on {{AssetName}}. {{Summary}}' customDetails: FindingID: FindingId FindingName: FindingName Severity: Severity State: State AssetID: AssetId AssetName: AssetName OrganizationID: OrganizationId CreatedAt: CreatedAt Mitigations: Mitigations incidentConfiguration: createIncident: true groupingConfiguration: enabled: true reopenClosedIncident: false lookbackDuration: 24h matchingMethod: Selected groupByCustomDetails: - FindingID entityMappings: - entityType: URL fieldMappings: - identifier: Url columnName: StartUrl version: 1.0.1 kind: Scheduled