Cyble Vision Alerts Cyble Web Applications

Alerts_web_applications
| where Service == "web_applications"
| extend MappedSeverity = Severity

name: Cyble Vision Alerts Cyble Web Applications
query: |
  Alerts_web_applications
  | where Service == "web_applications"
  | extend MappedSeverity = Severity  
enabled: true
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: WA_URL
    identifier: Url
- entityType: IP
  fieldMappings:
  - columnName: IP
    identifier: Address
queryPeriod: 30m
version: 1.0.0
tactics:
- Reconnaissance
suppressionDuration: PT5M
triggerOperator: GreaterThan
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Web_Applications.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
  createIncident: true
relevantTechniques:
- T1595
- T1592
id: 359ddb25-eab1-4ef5-8303-ed3a9b680690
customDetails:
  Host: WA_Host_Nested
  MappedSeverity: Severity
  DetectedURL: WA_URL
  AlertID: AlertID
  Title: WA_Title_Nested
  Status: Status
  Service: Service
severity: Low
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
status: Available
description: |
    'Creates an incident for each discovered or exposed web application detected by Cyble Intelligence. Useful for SOC teams to investigate externally facing login portals, misconfigurations, and exposed infrastructure.'
alertDetailsOverride:
  alertDescriptionFormat: |
    A web application was detected by Cyble Intelligence.
    Host {{WA_Host_Nested}}
    Port {{WA_Port_Nested}}
    URL {{WA_URL}}    
  alertDisplayNameFormat: Cyble Web Application Found  {{WA_Title_Nested}}
queryFrequency: 30m