Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyren High-Risk IP Indicators

Cyren High-Risk IP Indicators

Back
Id5d7e8b3a-1f2c-4e5d-9a0b-c1d2e3f4a5b6
RulenameCyren High-Risk IP Indicators
DescriptionDetects high-risk IP indicators (risk score >= 80) from Cyren threat intelligence feeds in the last 24 hours.

These IPs are associated with malicious activity such as malware distribution, phishing, or botnet command and control.
SeverityHigh
TacticsCommandAndControl
Impact
TechniquesT1071
T1568
Required data connectorsCyrenThreatIntel
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk IP Indicators.yaml
Version1.0.0
Arm template5d7e8b3a-1f2c-4e5d-9a0b-c1d2e3f4a5b6.json
Deploy To Azure
Cyren_Indicators_CL
| where TimeGenerated > ago(1d)
| where isnotempty(ip_s)
| extend Risk = toint(risk_d)
| where Risk >= 80
| summarize 
    DetectionCount = count(), 
    MaxRisk = max(Risk), 
    Categories = make_set(category_s) 
  by IP = ip_s, Source = source_s
| where DetectionCount >= 1
| extend 
    IPAddress = IP,
    ThreatCategories = strcat_array(Categories, ", ")

suppressionDuration: 1h
queryPeriod: 1d
kind: Scheduled
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
requiredDataConnectors:
- connectorId: CyrenThreatIntel
  dataTypes:
  - Cyren_Indicators_CL
description: |
  'Detects high-risk IP indicators (risk score >= 80) from Cyren threat intelligence feeds in the last 24 hours.
  These IPs are associated with malicious activity such as malware distribution, phishing, or botnet command and control.'  
queryFrequency: 1h
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: Selected
    groupByEntities:
    - IP
    enabled: true
    lookbackDuration: 1d
triggerOperator: gt
suppressionEnabled: false
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  Cyren_Indicators_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(ip_s)
  | extend Risk = toint(risk_d)
  | where Risk >= 80
  | summarize 
      DetectionCount = count(), 
      MaxRisk = max(Risk), 
      Categories = make_set(category_s) 
    by IP = ip_s, Source = source_s
  | where DetectionCount >= 1
  | extend 
      IPAddress = IP,
      ThreatCategories = strcat_array(Categories, ", ")  
name: Cyren High-Risk IP Indicators
id: 5d7e8b3a-1f2c-4e5d-9a0b-c1d2e3f4a5b6
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk IP Indicators.yaml
severity: High
version: 1.0.0
status: Available
relevantTechniques:
- T1071
- T1568
triggerThreshold: 0
customDetails:
  Source: Source
  Categories: ThreatCategories
  RiskScore: MaxRisk
  DetectionCount: DetectionCount
tactics:
- CommandAndControl
- Impact