Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CyberBlindSpot - Any Issue Detected

CyberBlindSpot - Any Issue Detected

Back
Idabe1a662-d00d-482e-aa68-9394622ae02e
RulenameCyberBlindSpot - Any Issue Detected
DescriptionGeneric alert that triggers when ANY CyberBlindSpot issue/incident is detected in the logs. Extracts nested metadata from RawPayload.
SeverityInformational
TacticsReconnaissance
Discovery
ResourceDevelopment
InitialAccess
TechniquesT1592
T1598
T1566
Required data connectorsCTM360CBSConnectorDefinition
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/CBSAnyIssueDetected.yaml
Version1.0.0
Arm templateabe1a662-d00d-482e-aa68-9394622ae02e.json
Deploy To Azure
CBSLog
| project TimeGenerated, IncidentId, Subject, Severity, IncidentType, Status, Class, ExternalLink, Brand, FirstSeen, LastSeen, Remarks

name: CyberBlindSpot - Any Issue Detected
query: |
  CBSLog
  | project TimeGenerated, IncidentId, Subject, Severity, IncidentType, Status, Class, ExternalLink, Brand, FirstSeen, LastSeen, Remarks  
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: Subject
    identifier: Url
queryPeriod: 5m
suppressionEnabled: false
tactics:
- Reconnaissance
- Discovery
- ResourceDevelopment
- InitialAccess
suppressionDuration: PT5H
triggerOperator: GreaterThan
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/CBSAnyIssueDetected.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.0
alertDetailsOverride:
  alertDescriptionFormat: Type {{IncidentType}} | Subject {{Subject}} | Severity {{Severity}}
  alertDisplayNameFormat: CyberBlindSpot Alert - {{IncidentType}} on {{Subject}} - {{Brand}}
relevantTechniques:
- T1592
- T1598
- T1566
id: abe1a662-d00d-482e-aa68-9394622ae02e
customDetails:
  Subject: Subject
  Brand: Brand
  IncidentType: IncidentType
severity: Informational
requiredDataConnectors:
- connectorId: CTM360CBSConnectorDefinition
  dataTypes:
  - CBS_MalwareLogs_AzureV2_CL
  - CBS_BreachedCredentials_AzureV2_CL
  - CBS_CompromisedCards_AzureV2_CL
  - CBS_DomainInfringement_AzureV2_CL
  - CBS_SubdomainInfringement_AzureV2_CL
  - CBSLog_AzureV2_CL
status: Available
description: Generic alert that triggers when ANY CyberBlindSpot issue/incident is detected in the logs. Extracts nested metadata from RawPayload.
queryFrequency: 5m