Cyble Vision Alerts Website Defacement URL

Alerts_defacement_url  
| where Service == "defacement_url" 
| extend MappedSeverity = Severity

name: Cyble Vision Alerts Website Defacement URL
query: |
  Alerts_defacement_url  
  | where Service == "defacement_url" 
  | extend MappedSeverity = Severity  
enabled: true
entityMappings:
- entityType: Url
  fieldMappings:
  - columnName: DU_Description
    identifier: Url
- entityType: Host
  fieldMappings:
  - columnName: DU_DomainName
    identifier: HostName
queryPeriod: 30m
version: 1.0.0
tactics:
- Impact
triggerOperator: GreaterThan
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_defacement_url_rule.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  alertDetailsOverride: 
  alertDescriptionFormat: |
        A monitored URL for domain {{DU_DomainName}} has changed {{DU_Description}}. This may indicate unauthorized modification consistent with website defacement activity.
  alertDisplayNameFormat: URL Content Change Detected {{DU_DomainName}}
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
relevantTechniques:
- T1491
id: 1dabe566-a0f1-4c27-8307-aea5a79eb5e9
customDetails:
  MappedSeverity: Severity
  DU_Keywords: DU_Keywords
  DU_Type: DU_Type
  AlertID: AlertID
  DU_DomainName: DU_DomainName
  Status: Status
  DU_description: DU_Description
  DU_RecordID: DU_RecordID
  Service: Service
severity: Low
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
status: Available
description: |
    'Detects suspicious or unexpected changes to monitored URLs which may indicate website tampering or defacement.'
queryfrequency: 30m