Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts IOCS

Cyble Vision Alerts IOCS

Back
Idc8cf42d5-8684-435f-9c4d-9dd0cc47eaec
RulenameCyble Vision Alerts IOC’S
DescriptionDetects malicious Indicators of Compromise such as IPs, domains, URLs, and hashes. Extracts IOC type, behaviour tags, risk rating, and timestamps using Alerts_IOCs parser. Triggers an incident with mapped entities, severity, and details.
SeverityLow
TacticsReconnaissance
InitialAccess
Discovery
CommandAndControl
Impact
TechniquesT1595
T1133
T1046
T1071
T1486
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_IOC’S.yaml
Version1.0.0
Arm templatec8cf42d5-8684-435f-9c4d-9dd0cc47eaec.json
Deploy To Azure
Alerts_iocs 
| where Service == "iocs" 
| extend MappedSeverity = Severity

customDetails:
  FirstSeen: IOC_FirstSeen
  IOCRiskRating: IOC_RiskRating
  Tags: IOC_Tags
  IOC: IOC_Value
  IOCType: IOC_Type
  Status: Status
  Reference: IOC_ReferenceLink
  UUID: IOC_UUID
  AlertID: AlertID
  IOCConfidentRating: IOC_ConfidentRating
  LastSeen: IOC_LastSeen
  Service: Service
  IOCBehaviour: IOC_BehaviourTags
  MappedSeverity: Severity
  IOCAttackName: IOC_AttackName
kind: Scheduled
severity: Low
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
description: |
    'Detects malicious Indicators of Compromise such as IPs, domains, URLs, and hashes. Extracts IOC type, behaviour tags, risk rating, and timestamps using Alerts_IOCs parser. Triggers an incident with mapped entities, severity, and details.'
triggerOperator: GreaterThan
alertDetailsOverride:
  alertDynamicProperties: []
  alertDisplayNameFormat: CybleVision IOC Detected {{IOC_Value}}
  alertDescriptionFormat: |
        Type {{IOC_Type}} Behaviour {{IOC_BehaviourTags}} Risk Rating {{IOC_RiskRating}}'
status: Available
enabled: true
query: |
  Alerts_iocs 
  | where Service == "iocs" 
  | extend MappedSeverity = Severity  
triggerThreshold: 0
relevantTechniques:
- T1595
- T1133
- T1046
- T1071
- T1486
version: 1.0.0
queryFrequency: 30m
subTechniques: []
suppressionDuration: PT5H
queryPeriod: 30m
tactics:
- Reconnaissance
- InitialAccess
- Discovery
- CommandAndControl
- Impact
name: Cyble Vision Alerts IOC'S
id: c8cf42d5-8684-435f-9c4d-9dd0cc47eaec
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IOC_Value
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_IOC'S.yaml
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H