Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts Bitbucket

Cyble Vision Alerts Bitbucket

Back
Idf3c25011-4509-41c8-be27-35d891531c39
RulenameCyble Vision Alerts Bitbucket
DescriptionDetects exposed secrets in Bitbucket repositories using the Alerts_bit_bucket parser. Creates one incident per matched secret. Includes decoder, detector, commit, file, and repository context for SOC triage.
SeverityLow
TacticsCredentialAccess
Exfiltration
Discovery
TechniquesT1552
T1537
T1083
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_BitBucket.yaml
Version1.0.0
Arm templatef3c25011-4509-41c8-be27-35d891531c39.json
Deploy To Azure
Alerts_bit_bucket 
| where Service == "bit_bucket" 
| extend MappedSeverity = Severity

customDetails:
  BB_DetectorName: BB_DetectorName
  Service: Service
  MappedSeverity: Severity
  BB_Commit: BB_Commit
  BB_Repository: BB_Repository
  BB_Email: BB_Email
  BB_Verified: BB_Verified
  AlertID: AlertID
  BB_Line: BB_Line
  BB_File: BB_File
  BB_RotationGuide: BB_RotationGuide
  BB_Link: BB_Link
  Status: Status
  BB_Raw: BB_Raw
id: f3c25011-4509-41c8-be27-35d891531c39
name: Cyble Vision Alerts Bitbucket
queryPeriod: 30m
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_BitBucket.yaml
query: |
  Alerts_bit_bucket 
  | where Service == "bit_bucket" 
  | extend MappedSeverity = Severity  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1552
- T1537
- T1083
entityMappings:
- entityType: Url
  fieldMappings:
  - identifier: Url
    columnName: BB_Repository
- entityType: Url
  fieldMappings:
  - identifier: Url
    columnName: BB_Link
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: BB_File
  - identifier: Directory
    columnName: KeywordName
enabled: true
severity: Low
kind: Scheduled
triggerThreshold: 0
triggerOperator: GreaterThan
tactics:
- CredentialAccess
- Exfiltration
- Discovery
status: Available
queryFrequency: 30m
alertDetailsOverride:
  alertDisplayNameFormat: Secret Exposure in Bitbucket {{BB_File}} ({{BB_DetectorName}})
  alertDescriptionFormat: |
        A sensitive secret was detected in Bitbucket repository {{BB_Repository}}. File {{BB_File}}:{{BB_Line}}. Investigator should verify exposure, rotate credentials and remediate impacted systems.
description: |
    'Detects exposed secrets in Bitbucket repositories using the Alerts_bit_bucket parser. Creates one incident per matched secret. Includes decoder, detector, commit, file, and repository context for SOC triage.'