Cyble Vision Alerts Cyble Web Applications

Back


Id	359ddb25-eab1-4ef5-8303-ed3a9b680690
Rulename	Cyble Vision Alerts Cyble Web Applications
Description	Creates an incident for each discovered or exposed web application detected by Cyble Intelligence. Useful for SOC teams to investigate externally facing login portals, misconfigurations, and exposed infrastructure.
Severity	Low
Tactics	Reconnaissance
Techniques	T1595 T1592
Required data connectors	CybleVisionAlerts
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Web_Applications.yaml
Version	1.0.0
Arm template	359ddb25-eab1-4ef5-8303-ed3a9b680690.json

KQL

Alerts_web_applications
| where Service == "web_applications"
| extend MappedSeverity = Severity

YAML

customDetails:
  Host: WA_Host_Nested
  Status: Status
  AlertID: AlertID
  DetectedURL: WA_URL
  Service: Service
  Title: WA_Title_Nested
  MappedSeverity: Severity
kind: Scheduled
severity: Low
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
description: |
    'Creates an incident for each discovered or exposed web application detected by Cyble Intelligence. Useful for SOC teams to investigate externally facing login portals, misconfigurations, and exposed infrastructure.'
triggerOperator: GreaterThan
alertDetailsOverride:
  alertDisplayNameFormat: Cyble Web Application Found  {{WA_Title_Nested}}
  alertDescriptionFormat: |
    A web application was detected by Cyble Intelligence.
    Host {{WA_Host_Nested}}
    Port {{WA_Port_Nested}}
    URL {{WA_URL}}    
status: Available
enabled: true
query: |
  Alerts_web_applications
  | where Service == "web_applications"
  | extend MappedSeverity = Severity  
triggerThreshold: 0
relevantTechniques:
- T1595
- T1592
version: 1.0.0
queryFrequency: 30m
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: WA_URL
  entityType: URL
- fieldMappings:
  - identifier: Address
    columnName: IP
  entityType: IP
suppressionDuration: PT5M
queryPeriod: 30m
tactics:
- Reconnaissance
name: Cyble Vision Alerts Cyble Web Applications
id: 359ddb25-eab1-4ef5-8303-ed3a9b680690
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Web_Applications.yaml
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H

ARM