Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts Cloud Storage

Cyble Vision Alerts Cloud Storage

Back
Iddb417cee-529c-4eac-b7b9-36eb0166800a
RulenameCyble Vision Alerts Cloud Storage
DescriptionDetects cloud storage objects/paths discovered in ingestion (uses Alerts_cloud_storage parser). Creates incidents for discovered S3/GCS/Azure blob objects, includes bucket/object/url, size and workflow metadata. Mandatory custom details: MappedSeverity, Status, AlertID, Service.
SeverityLow
TacticsExfiltration
Discovery
TechniquesT1537
T1083
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Cloud_Storage.yaml
Version1.0.0
Arm templatedb417cee-529c-4eac-b7b9-36eb0166800a.json
Deploy To Azure
Alerts_cloud_storage  
| where Service == "cloud_storage" 
| extend MappedSeverity = Severity

incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
    enabled: false
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
relevantTechniques:
- T1537
- T1083
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Cloud_Storage.yaml
customDetails:
  CS_WorkflowID: CS_WorkflowID
  CS_ObjectId: CS_ObjectId
  CS_FullPath: CS_FullPath
  CS_Url: CS_Url
  CS_AgenticAIStatus: CS_AgenticAIStatus
  ProcessedByAgenticAI: CS_ProcessedByAgenticAI
  Service: Service
  CS_Filename: CS_Filename
  MappedSeverity: Severity
  CS_Size: CS_Size
  CS_Bucket: CS_Bucket
  AlertID: AlertID
  CS_BucketId: CS_BucketId
  Status: Status
queryfrequency: 30m
severity: Low
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: CS_Url
    identifier: Url
  entityType: Url
- fieldMappings:
  - columnName: CS_Bucket
    identifier: HostName
  entityType: Host
alertDetailsOverride:
  alertDescriptionFormat: |
        A cloud storage object was discovered by ingestion. (ID {{CS_BucketId}}). Object {{CS_FullPath}} (ID {{CS_ObjectId}}). Review and remediate access if required.
  alertDisplayNameFormat: Exposed cloud object  {{CS_Filename}} in {{CS_Bucket}}.
name: Cyble Vision Alerts Cloud Storage
query: |
  Alerts_cloud_storage  
  | where Service == "cloud_storage" 
  | extend MappedSeverity = Severity  
version: 1.0.0
tactics:
- Exfiltration
- Discovery
queryPeriod: 30m
description: |
    'Detects cloud storage objects/paths discovered in ingestion (uses Alerts_cloud_storage parser). Creates incidents for discovered S3/GCS/Azure blob objects, includes bucket/object/url, size and workflow metadata. Mandatory custom details: MappedSeverity, Status, AlertID, Service.'
kind: Scheduled
id: db417cee-529c-4eac-b7b9-36eb0166800a
enabled: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available