Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts Website Defacement URL

Cyble Vision Alerts Website Defacement URL

Back
Id1dabe566-a0f1-4c27-8307-aea5a79eb5e9
RulenameCyble Vision Alerts Website Defacement URL
DescriptionDetects suspicious or unexpected changes to monitored URLs which may indicate website tampering or defacement.
SeverityLow
TacticsImpact
TechniquesT1491
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_defacement_url_rule.yaml
Version1.0.0
Arm template1dabe566-a0f1-4c27-8307-aea5a79eb5e9.json
Deploy To Azure
Alerts_defacement_url  
| where Service == "defacement_url" 
| extend MappedSeverity = Severity

description: |
    'Detects suspicious or unexpected changes to monitored URLs which may indicate website tampering or defacement.'
kind: Scheduled
queryfrequency: 30m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_defacement_url_rule.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
severity: Low
triggerOperator: GreaterThan
triggerThreshold: 0
name: Cyble Vision Alerts Website Defacement URL
customDetails:
  MappedSeverity: Severity
  DU_description: DU_Description
  DU_DomainName: DU_DomainName
  DU_Keywords: DU_Keywords
  Status: Status
  AlertID: AlertID
  DU_Type: DU_Type
  Service: Service
  DU_RecordID: DU_RecordID
entityMappings:
- fieldMappings:
  - columnName: DU_Description
    identifier: Url
  entityType: Url
- fieldMappings:
  - columnName: DU_DomainName
    identifier: HostName
  entityType: Host
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
enabled: true
id: 1dabe566-a0f1-4c27-8307-aea5a79eb5e9
queryPeriod: 30m
incidentConfiguration:
  createIncident: true
  alertDescriptionFormat: |
        A monitored URL for domain {{DU_DomainName}} has changed {{DU_Description}}. This may indicate unauthorized modification consistent with website defacement activity.
  groupingConfiguration:
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: PT5H
  alertDisplayNameFormat: URL Content Change Detected {{DU_DomainName}}
  alertDetailsOverride: 
tactics:
- Impact
relevantTechniques:
- T1491
status: Available
version: 1.0.0
query: |
  Alerts_defacement_url  
  | where Service == "defacement_url" 
  | extend MappedSeverity = Severity