Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Acronis - Multiple Endpoints Accessing Malicious URLs

Acronis - Multiple Endpoints Accessing Malicious URLs

Back
Id1385f0ce-69d9-4abf-8039-52080c8c7017
RulenameAcronis - Multiple Endpoints Accessing Malicious URLs
DescriptionMultiple endpoints accessing malicious URLs could indicate an ongoing phishing attack, with several employees interacting with those URLs.
SeverityMedium
TacticsExecution
TechniquesT1204.001
KindScheduled
Query frequency1h
Query period1d
Trigger threshold2
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Acronis Cyber Protect Cloud/Analytic Rules/AcronisMultipleEndpointsAccessingMaliciousURLs.yaml
Version1.0.0
Arm template1385f0ce-69d9-4abf-8039-52080c8c7017.json
Deploy To Azure
CommonSecurityLog
| where DeviceVendor == "Acronis"
| where DeviceEventClassID == "MaliciousUrlDetected"
| summarize MaliciousUrlDetected = count() by DeviceName

kind: Scheduled
requiredDataConnectors: []
triggerThreshold: 2
triggerOperator: gt
version: 1.0.0
tactics:
- Execution
queryPeriod: 1d
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AnyAlert
    enabled: true
    lookbackDuration: P1D
    reopenClosedIncident: true
queryFrequency: 1h
id: 1385f0ce-69d9-4abf-8039-52080c8c7017
eventGroupingSettings:
  aggregationKind: SingleAlert
relevantTechniques:
- T1204.001
description: Multiple endpoints accessing malicious URLs could indicate an ongoing phishing attack, with several employees interacting with those URLs.
customDetails:
  DeviceName: DeviceName
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: HostName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Acronis Cyber Protect Cloud/Analytic Rules/AcronisMultipleEndpointsAccessingMaliciousURLs.yaml
name: Acronis - Multiple Endpoints Accessing Malicious URLs
severity: Medium
query: |
  CommonSecurityLog
  | where DeviceVendor == "Acronis"
  | where DeviceEventClassID == "MaliciousUrlDetected"
  | summarize MaliciousUrlDetected = count() by DeviceName