Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

ARGOS Cloud Security - Exploitable Cloud Resources

Back
Ida9bf1b8c-c761-4840-b9a8-7535ca68ca28
RulenameARGOS Cloud Security - Exploitable Cloud Resources
DescriptionExploitable Cloud Security Issues are ones that expose cloud resources to the internet and allow initial access to your environment.
SeverityHigh
TacticsInitialAccess
Required data connectorsARGOSCloudSecurity
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ARGOSCloudSecurity/Analytic Rules/ExploitableSecurityIssues.yaml
Version1.0.2
Arm templatea9bf1b8c-c761-4840-b9a8-7535ca68ca28.json
Deploy To Azure
ARGOS_CL | where exploitable_b
triggerOperator: gt
techniques: []
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
    lookbackDuration: PT5H
  createIncident: true
suppressionDuration: PT5H
id: a9bf1b8c-c761-4840-b9a8-7535ca68ca28
queryFrequency: 1h
entityMappings:
- entityType: AzureResource
  fieldMappings:
  - columnName: ResourceId
    identifier: ResourceId
- entityType: URL
  fieldMappings:
  - columnName: url_s
    identifier: Url
requiredDataConnectors:
- dataTypes:
  - ARGOS_CL
  connectorId: ARGOSCloudSecurity
severity: High
customDetails: 
tactics:
- InitialAccess
kind: Scheduled
status: Available
queryPeriod: 1h
alertDetailsOverride:
  alertDisplayNameFormat: New exploitable cloud resource - {{name_s}} - {{ruleId_s}}
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
    ARGOS_CL | where exploitable_b
description: Exploitable Cloud Security Issues are ones that expose cloud resources to the internet and allow initial access to your environment.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ARGOSCloudSecurity/Analytic Rules/ExploitableSecurityIssues.yaml
alertRuleTemplateName: 
name: ARGOS Cloud Security - Exploitable Cloud Resources
triggerThreshold: 0
version: 1.0.2
suppressionEnabled: false
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a9bf1b8c-c761-4840-b9a8-7535ca68ca28')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a9bf1b8c-c761-4840-b9a8-7535ca68ca28')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "ARGOS Cloud Security - Exploitable Cloud Resources",
        "description": "Exploitable Cloud Security Issues are ones that expose cloud resources to the internet and allow initial access to your environment.",
        "severity": "High",
        "enabled": true,
        "query": "ARGOS_CL | where exploitable_b\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [],
        "alertRuleTemplateName": "a9bf1b8c-c761-4840-b9a8-7535ca68ca28",
        "incidentConfiguration": {
          "groupingConfiguration": {
            "reopenClosedIncident": false,
            "matchingMethod": "AllEntities",
            "enabled": false,
            "lookbackDuration": "PT5H"
          },
          "createIncident": true
        },
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "New exploitable cloud resource - {{name_s}} - {{ruleId_s}}"
        },
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "ResourceId",
                "columnName": "ResourceId"
              }
            ],
            "entityType": "AzureResource"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "url_s"
              }
            ],
            "entityType": "URL"
          }
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ARGOSCloudSecurity/Analytic Rules/ExploitableSecurityIssues.yaml",
        "templateVersion": "1.0.2"
      }
    }
  ]
}