Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

ARGOS Cloud Security - Exploitable Cloud Resources

Back
Ida9bf1b8c-c761-4840-b9a8-7535ca68ca28
RulenameARGOS Cloud Security - Exploitable Cloud Resources
DescriptionExploitable Cloud Security Issues are ones that expose cloud resources to the internet and allow initial access to your environment.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
Required data connectorsARGOSCloudSecurity
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ARGOSCloudSecurity/Analytic Rules/ExploitableSecurityIssues.yaml
Version1.0.3
Arm templatea9bf1b8c-c761-4840-b9a8-7535ca68ca28.json
Deploy To Azure
ARGOS_CL | where exploitable_b
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    enabled: false
    reopenClosedIncident: false
description: Exploitable Cloud Security Issues are ones that expose cloud resources to the internet and allow initial access to your environment.
id: a9bf1b8c-c761-4840-b9a8-7535ca68ca28
requiredDataConnectors:
- connectorId: ARGOSCloudSecurity
  dataTypes:
  - ARGOS_CL
suppressionDuration: PT5H
customDetails: 
relevantTechniques:
- T1190
tactics:
- InitialAccess
eventGroupingSettings:
  aggregationKind: AlertPerResult
kind: Scheduled
alertDetailsOverride:
  alertDisplayNameFormat: New exploitable cloud resource - {{name_s}} - {{ruleId_s}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ARGOSCloudSecurity/Analytic Rules/ExploitableSecurityIssues.yaml
suppressionEnabled: false
alertRuleTemplateName: 
severity: High
entityMappings:
- fieldMappings:
  - columnName: ResourceId
    identifier: ResourceId
  entityType: AzureResource
- fieldMappings:
  - columnName: url_s
    identifier: Url
  entityType: URL
triggerThreshold: 0
queryFrequency: 1h
status: Available
queryPeriod: 1h
triggerOperator: gt
query: |
    ARGOS_CL | where exploitable_b
name: ARGOS Cloud Security - Exploitable Cloud Resources
version: 1.0.3
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a9bf1b8c-c761-4840-b9a8-7535ca68ca28')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a9bf1b8c-c761-4840-b9a8-7535ca68ca28')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "New exploitable cloud resource - {{name_s}} - {{ruleId_s}}"
        },
        "alertRuleTemplateName": null,
        "customDetails": null,
        "description": "Exploitable Cloud Security Issues are ones that expose cloud resources to the internet and allow initial access to your environment.",
        "displayName": "ARGOS Cloud Security - Exploitable Cloud Resources",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "ResourceId",
                "identifier": "ResourceId"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "url_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ARGOSCloudSecurity/Analytic Rules/ExploitableSecurityIssues.yaml",
        "query": "ARGOS_CL | where exploitable_b\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}