Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts Cloud Storage

Cyble Vision Alerts Cloud Storage

Back
Iddb417cee-529c-4eac-b7b9-36eb0166800a
RulenameCyble Vision Alerts Cloud Storage
DescriptionDetects cloud storage objects/paths discovered in ingestion (uses Alerts_cloud_storage parser). Creates incidents for discovered S3/GCS/Azure blob objects, includes bucket/object/url, size and workflow metadata. Mandatory custom details: MappedSeverity, Status, AlertID, Service.
SeverityLow
TacticsExfiltration
Discovery
TechniquesT1537
T1083
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Cloud_Storage.yaml
Version1.0.0
Arm templatedb417cee-529c-4eac-b7b9-36eb0166800a.json
Deploy To Azure
Alerts_cloud_storage  
| where Service == "cloud_storage" 
| extend MappedSeverity = Severity

status: Available
enabled: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Cloud_Storage.yaml
version: 1.0.0
queryPeriod: 30m
query: |
  Alerts_cloud_storage  
  | where Service == "cloud_storage" 
  | extend MappedSeverity = Severity  
kind: Scheduled
name: Cyble Vision Alerts Cloud Storage
triggerOperator: GreaterThan
severity: Low
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: db417cee-529c-4eac-b7b9-36eb0166800a
triggerThreshold: 0
entityMappings:
- entityType: Url
  fieldMappings:
  - identifier: Url
    columnName: CS_Url
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: CS_Bucket
queryfrequency: 30m
alertDetailsOverride:
  alertDescriptionFormat: |
        A cloud storage object was discovered by ingestion. (ID {{CS_BucketId}}). Object {{CS_FullPath}} (ID {{CS_ObjectId}}). Review and remediate access if required.
  alertDisplayNameFormat: Exposed cloud object  {{CS_Filename}} in {{CS_Bucket}}.
description: |
    'Detects cloud storage objects/paths discovered in ingestion (uses Alerts_cloud_storage parser). Creates incidents for discovered S3/GCS/Azure blob objects, includes bucket/object/url, size and workflow metadata. Mandatory custom details: MappedSeverity, Status, AlertID, Service.'
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
customDetails:
  Status: Status
  CS_AgenticAIStatus: CS_AgenticAIStatus
  Service: Service
  ProcessedByAgenticAI: CS_ProcessedByAgenticAI
  CS_Url: CS_Url
  MappedSeverity: Severity
  AlertID: AlertID
  CS_ObjectId: CS_ObjectId
  CS_WorkflowID: CS_WorkflowID
  CS_FullPath: CS_FullPath
  CS_Bucket: CS_Bucket
  CS_BucketId: CS_BucketId
  CS_Size: CS_Size
  CS_Filename: CS_Filename
relevantTechniques:
- T1537
- T1083
tactics:
- Exfiltration
- Discovery