Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts Cloud Storage

Cyble Vision Alerts Cloud Storage

Back
Iddb417cee-529c-4eac-b7b9-36eb0166800a
RulenameCyble Vision Alerts Cloud Storage
DescriptionDetects cloud storage objects/paths discovered in ingestion (uses Alerts_cloud_storage parser). Creates incidents for discovered S3/GCS/Azure blob objects, includes bucket/object/url, size and workflow metadata. Mandatory custom details: MappedSeverity, Status, AlertID, Service.
SeverityLow
TacticsExfiltration
Discovery
TechniquesT1537
T1083
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Cloud_Storage.yaml
Version1.0.0
Arm templatedb417cee-529c-4eac-b7b9-36eb0166800a.json
Deploy To Azure
Alerts_cloud_storage  
| where Service == "cloud_storage" 
| extend MappedSeverity = Severity

name: Cyble Vision Alerts Cloud Storage
alertDetailsOverride:
  alertDisplayNameFormat: Exposed cloud object  {{CS_Filename}} in {{CS_Bucket}}.
  alertDescriptionFormat: |
        A cloud storage object was discovered by ingestion. (ID {{CS_BucketId}}). Object {{CS_FullPath}} (ID {{CS_ObjectId}}). Review and remediate access if required.
id: db417cee-529c-4eac-b7b9-36eb0166800a
enabled: true
entityMappings:
- fieldMappings:
  - columnName: CS_Url
    identifier: Url
  entityType: Url
- fieldMappings:
  - columnName: CS_Bucket
    identifier: HostName
  entityType: Host
version: 1.0.0
triggerOperator: GreaterThan
query: |
  Alerts_cloud_storage  
  | where Service == "cloud_storage" 
  | extend MappedSeverity = Severity  
description: |
    'Detects cloud storage objects/paths discovered in ingestion (uses Alerts_cloud_storage parser). Creates incidents for discovered S3/GCS/Azure blob objects, includes bucket/object/url, size and workflow metadata. Mandatory custom details: MappedSeverity, Status, AlertID, Service.'
kind: Scheduled
queryfrequency: 30m
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Cloud_Storage.yaml
severity: Low
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
queryPeriod: 30m
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
status: Available
customDetails:
  CS_BucketId: CS_BucketId
  MappedSeverity: Severity
  CS_Url: CS_Url
  CS_Filename: CS_Filename
  CS_Size: CS_Size
  CS_WorkflowID: CS_WorkflowID
  CS_ObjectId: CS_ObjectId
  ProcessedByAgenticAI: CS_ProcessedByAgenticAI
  AlertID: AlertID
  CS_FullPath: CS_FullPath
  Service: Service
  CS_Bucket: CS_Bucket
  CS_AgenticAIStatus: CS_AgenticAIStatus
  Status: Status
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1537
- T1083
tactics:
- Exfiltration
- Discovery