Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts Postman API Exposure Detection

Cyble Vision Alerts Postman API Exposure Detection

Back
Id99ca8956-5aad-4542-9fbc-8254182b424d
RulenameCyble Vision Alerts Postman API Exposure Detection
DescriptionDetects exposed Postman requests, collections or endpoints referencing monitored entities. Alerts analysts to possible API enumeration, leaked endpoints, or unintended exposure.
SeverityLow
TacticsReconnaissance
CredentialAccess
Exfiltration
TechniquesT1595
T1552
T1041
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Postman.yaml
Version1.0.0
Arm template99ca8956-5aad-4542-9fbc-8254182b424d.json
Deploy To Azure
Alerts_postman  
| where Service == "postman"
| extend MappedSeverity = Severity

customDetails:
  PM_PostmanKey: PM_PostmanKey
  Status: Status
  PM_DevelopedByUrl: PM_DevelopedByUrl
  AlertID: AlertID
  PM_Title: PM_Title
  PM_DevelopedBy: PM_DevelopedBy
  Service: Service
  PM_Url: PM_Url
  PM_Category: PM_Category
  MappedSeverity: Severity
kind: Scheduled
severity: Low
description: |
    'Detects exposed Postman requests, collections or endpoints referencing monitored entities. Alerts analysts to possible API enumeration, leaked endpoints, or unintended exposure.'
triggerOperator: GreaterThan
status: Available
enabled: true
query: |
  Alerts_postman  
  | where Service == "postman"
  | extend MappedSeverity = Severity  
triggerThreshold: 0
relevantTechniques:
- T1595
- T1552
- T1041
version: 1.0.0
queryfrequency: 30m
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: PM_Url
  entityType: Url
- fieldMappings:
  - identifier: HostName
    columnName: KeywordName
  entityType: Host
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
queryPeriod: 30m
tactics:
- Reconnaissance
- CredentialAccess
- Exfiltration
name: Cyble Vision Alerts Postman API Exposure Detection
id: 99ca8956-5aad-4542-9fbc-8254182b424d
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Postman.yaml
incidentConfiguration:
  alertDisplayNameFormat: Exposed Postman API Request {{PM_Title}}
  alertDetailsOverride: 
  alertDescriptionFormat: |
        A Postman API request referencing monitored entity {{KeywordName}} was discovered. Public Workspace {{PM_IsPublic}}. Developer {{PM_DevelopedBy}}. This may indicate exposed API endpoints, leaked request parameters or sensitive testing data.
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H
  createIncident: true