Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts Cloud Storage

Cyble Vision Alerts Cloud Storage

Back
Iddb417cee-529c-4eac-b7b9-36eb0166800a
RulenameCyble Vision Alerts Cloud Storage
DescriptionDetects cloud storage objects/paths discovered in ingestion (uses Alerts_cloud_storage parser). Creates incidents for discovered S3/GCS/Azure blob objects, includes bucket/object/url, size and workflow metadata. Mandatory custom details: MappedSeverity, Status, AlertID, Service.
SeverityLow
TacticsExfiltration
Discovery
TechniquesT1537
T1083
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Cloud_Storage.yaml
Version1.0.0
Arm templatedb417cee-529c-4eac-b7b9-36eb0166800a.json
Deploy To Azure
Alerts_cloud_storage  
| where Service == "cloud_storage" 
| extend MappedSeverity = Severity

customDetails:
  CS_Url: CS_Url
  MappedSeverity: Severity
  CS_Size: CS_Size
  CS_BucketId: CS_BucketId
  Service: Service
  CS_Bucket: CS_Bucket
  CS_ObjectId: CS_ObjectId
  CS_AgenticAIStatus: CS_AgenticAIStatus
  AlertID: AlertID
  ProcessedByAgenticAI: CS_ProcessedByAgenticAI
  CS_WorkflowID: CS_WorkflowID
  CS_Filename: CS_Filename
  CS_FullPath: CS_FullPath
  Status: Status
severity: Low
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Cloud_Storage.yaml
query: |
  Alerts_cloud_storage  
  | where Service == "cloud_storage" 
  | extend MappedSeverity = Severity  
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: true
relevantTechniques:
- T1537
- T1083
kind: Scheduled
name: Cyble Vision Alerts Cloud Storage
tactics:
- Exfiltration
- Discovery
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: CS_Url
  entityType: Url
- fieldMappings:
  - identifier: HostName
    columnName: CS_Bucket
  entityType: Host
enabled: true
queryfrequency: 30m
description: |
    'Detects cloud storage objects/paths discovered in ingestion (uses Alerts_cloud_storage parser). Creates incidents for discovered S3/GCS/Azure blob objects, includes bucket/object/url, size and workflow metadata. Mandatory custom details: MappedSeverity, Status, AlertID, Service.'
alertDetailsOverride:
  alertDisplayNameFormat: Exposed cloud object  {{CS_Filename}} in {{CS_Bucket}}.
  alertDescriptionFormat: |
        A cloud storage object was discovered by ingestion. (ID {{CS_BucketId}}). Object {{CS_FullPath}} (ID {{CS_ObjectId}}). Review and remediate access if required.
triggerThreshold: 0
triggerOperator: GreaterThan
version: 1.0.0
queryPeriod: 30m
id: db417cee-529c-4eac-b7b9-36eb0166800a