CommonSecurityLog
| where DeviceVendor == "Acronis"
| where DeviceEventClassID == "MaliciousUrlDetected"
| summarize MaliciousUrlDetected = count() by DeviceName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Acronis Cyber Protect Cloud/Analytic Rules/AcronisMultipleEndpointsAccessingMaliciousURLs.yaml
eventGroupingSettings:
aggregationKind: SingleAlert
queryPeriod: 1d
version: 1.0.0
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: DeviceName
entityType: Host
incidentConfiguration:
groupingConfiguration:
matchingMethod: AnyAlert
reopenClosedIncident: true
enabled: true
lookbackDuration: P1D
createIncident: true
customDetails:
DeviceName: DeviceName
queryFrequency: 1h
triggerOperator: gt
kind: Scheduled
id: 1385f0ce-69d9-4abf-8039-52080c8c7017
tactics:
- Execution
query: |
CommonSecurityLog
| where DeviceVendor == "Acronis"
| where DeviceEventClassID == "MaliciousUrlDetected"
| summarize MaliciousUrlDetected = count() by DeviceName
requiredDataConnectors: []
triggerThreshold: 2
description: Multiple endpoints accessing malicious URLs could indicate an ongoing phishing attack, with several employees interacting with those URLs.
name: Acronis - Multiple Endpoints Accessing Malicious URLs
severity: Medium
relevantTechniques:
- T1204.001
