Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts OSINT Mention Detected

Cyble Vision Alerts OSINT Mention Detected

Back
Id9ff985d8-57a8-4302-a8e6-34fa96c3c505
RulenameCyble Vision Alerts OSINT Mention Detected
DescriptionTriggers when Cyble detects an OSINT mention related to monitored keywords, entities, or brand identifiers. OSINT findings may indicate data leaks, expose content, targeting activity, impersonation, or discussions that may require investigation.
SeverityLow
TacticsReconnaissance
ResourceDevelopment
TechniquesT1592
T1589
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_osint_rule.yaml
Version1.0.0
Arm template9ff985d8-57a8-4302-a8e6-34fa96c3c505.json
Deploy To Azure
Alerts_osint  
| where Service == "osint" 
| extend MappedSeverity = Severity

incidentConfiguration:
  alertDisplayNameFormat: OSINT Mention Identified for Monitored Keyword {{KeywordName}}
  createIncident: true
  alertDetailsOverride: 
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
    enabled: false
  alertDescriptionFormat: |
        A public OSINT mention referencing monitored keyword/entity {{KeywordName}} has been detected. Source {{OS_Source}}. Mention URL {{OS_MentionURL}}. This may indicate reputational impact, data exposure, or adversarial research targeting the organization.
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
relevantTechniques:
- T1592
- T1589
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_osint_rule.yaml
customDetails:
  AlertID: AlertID
  Source: OS_Source
  Service: Service
  AuthorName: OS_AuthorName
  Status: Status
  AuthorUsername: OS_AuthorUsername
  MentionDate: OS_MentionDate
  MentionURL: OS_MentionURL
  MappedSeverity: Severity
  PostSnippet: OS_PostSnippet
queryfrequency: 30m
severity: Low
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: MA_Domain
    identifier: DomainName
  entityType: DNS
- fieldMappings:
  - columnName: MA_DomainURL
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: KeywordName
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: Domain
    identifier: HostName
  entityType: Host
name: Cyble Vision Alerts OSINT Mention Detected
query: |
  Alerts_osint  
  | where Service == "osint" 
  | extend MappedSeverity = Severity  
version: 1.0.0
tactics:
- Reconnaissance
- ResourceDevelopment
queryPeriod: 30m
description: |
    'Triggers when Cyble detects an OSINT mention related to monitored keywords, entities, or brand identifiers. OSINT findings may indicate data leaks, expose content, targeting activity, impersonation, or discussions that may require investigation.'
kind: Scheduled
id: 9ff985d8-57a8-4302-a8e6-34fa96c3c505
enabled: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available