Cyble Vision Alerts Bitbucket
| Id | f3c25011-4509-41c8-be27-35d891531c39 |
| Rulename | Cyble Vision Alerts Bitbucket |
| Description | Detects exposed secrets in Bitbucket repositories using the Alerts_bit_bucket parser. Creates one incident per matched secret. Includes decoder, detector, commit, file, and repository context for SOC triage. |
| Severity | Low |
| Tactics | CredentialAccess Exfiltration Discovery |
| Techniques | T1552 T1537 T1083 |
| Required data connectors | CybleVisionAlerts |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_BitBucket.yaml |
| Version | 1.0.0 |
| Arm template | f3c25011-4509-41c8-be27-35d891531c39.json |
Alerts_bit_bucket
| where Service == "bit_bucket"
| extend MappedSeverity = Severity
customDetails:
MappedSeverity: Severity
BB_RotationGuide: BB_RotationGuide
Status: Status
BB_Line: BB_Line
BB_File: BB_File
Service: Service
BB_Email: BB_Email
BB_Verified: BB_Verified
AlertID: AlertID
BB_Repository: BB_Repository
BB_DetectorName: BB_DetectorName
BB_Link: BB_Link
BB_Commit: BB_Commit
BB_Raw: BB_Raw
severity: Low
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_BitBucket.yaml
query: |
Alerts_bit_bucket
| where Service == "bit_bucket"
| extend MappedSeverity = Severity
requiredDataConnectors:
- dataTypes:
- CybleVisionAlerts_CL
connectorId: CybleVisionAlerts
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
enabled: false
matchingMethod: AllEntities
lookbackDuration: PT5H
createIncident: true
relevantTechniques:
- T1552
- T1537
- T1083
kind: Scheduled
name: Cyble Vision Alerts Bitbucket
tactics:
- CredentialAccess
- Exfiltration
- Discovery
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
- identifier: Url
columnName: BB_Repository
entityType: Url
- fieldMappings:
- identifier: Url
columnName: BB_Link
entityType: Url
- fieldMappings:
- identifier: Name
columnName: BB_File
- identifier: Directory
columnName: KeywordName
entityType: File
enabled: true
queryFrequency: 30m
description: |
'Detects exposed secrets in Bitbucket repositories using the Alerts_bit_bucket parser. Creates one incident per matched secret. Includes decoder, detector, commit, file, and repository context for SOC triage.'
alertDetailsOverride:
alertDisplayNameFormat: Secret Exposure in Bitbucket {{BB_File}} ({{BB_DetectorName}})
alertDescriptionFormat: |
A sensitive secret was detected in Bitbucket repository {{BB_Repository}}. File {{BB_File}}:{{BB_Line}}. Investigator should verify exposure, rotate credentials and remediate impacted systems.
triggerThreshold: 0
triggerOperator: GreaterThan
version: 1.0.0
queryPeriod: 30m
id: f3c25011-4509-41c8-be27-35d891531c39