Alerts_defacement_url
| where Service == "defacement_url"
| extend MappedSeverity = Severity
name: Cyble Vision Alerts Website Defacement URL
id: 1dabe566-a0f1-4c27-8307-aea5a79eb5e9
enabled: true
entityMappings:
- fieldMappings:
- columnName: DU_Description
identifier: Url
entityType: Url
- fieldMappings:
- columnName: DU_DomainName
identifier: HostName
entityType: Host
version: 1.0.0
triggerOperator: GreaterThan
query: |
Alerts_defacement_url
| where Service == "defacement_url"
| extend MappedSeverity = Severity
description: |
'Detects suspicious or unexpected changes to monitored URLs which may indicate website tampering or defacement.'
kind: Scheduled
queryfrequency: 30m
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_defacement_url_rule.yaml
severity: Low
incidentConfiguration:
createIncident: true
alertDisplayNameFormat: URL Content Change Detected {{DU_DomainName}}
alertDetailsOverride:
alertDescriptionFormat: |
A monitored URL for domain {{DU_DomainName}} has changed {{DU_Description}}. This may indicate unauthorized modification consistent with website defacement activity.
groupingConfiguration:
lookbackDuration: PT5H
reopenClosedIncident: false
matchingMethod: AllEntities
enabled: false
queryPeriod: 30m
requiredDataConnectors:
- dataTypes:
- CybleVisionAlerts_CL
connectorId: CybleVisionAlerts
status: Available
customDetails:
DU_Keywords: DU_Keywords
AlertID: AlertID
DU_description: DU_Description
DU_RecordID: DU_RecordID
Service: Service
DU_DomainName: DU_DomainName
Status: Status
MappedSeverity: Severity
DU_Type: DU_Type
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1491
tactics:
- Impact
