Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyren High-Risk IP Indicators

Cyren High-Risk IP Indicators

Back
Id5d7e8b3a-1f2c-4e5d-9a0b-c1d2e3f4a5b6
RulenameCyren High-Risk IP Indicators
DescriptionDetects high-risk IP indicators (risk score >= 80) from Cyren threat intelligence feeds in the last 24 hours.

These IPs are associated with malicious activity such as malware distribution, phishing, or botnet command and control.
SeverityHigh
TacticsCommandAndControl
Impact
TechniquesT1071
T1568
Required data connectorsCyrenThreatIntel
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk IP Indicators.yaml
Version1.0.0
Arm template5d7e8b3a-1f2c-4e5d-9a0b-c1d2e3f4a5b6.json
Deploy To Azure
Cyren_Indicators_CL
| where TimeGenerated > ago(1d)
| where isnotempty(ip_s)
| extend Risk = toint(risk_d)
| where Risk >= 80
| summarize 
    DetectionCount = count(), 
    MaxRisk = max(Risk), 
    Categories = make_set(category_s) 
  by IP = ip_s, Source = source_s
| where DetectionCount >= 1
| extend 
    IPAddress = IP,
    ThreatCategories = strcat_array(Categories, ", ")

suppressionEnabled: false
status: Available
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk IP Indicators.yaml
suppressionDuration: 1h
relevantTechniques:
- T1071
- T1568
name: Cyren High-Risk IP Indicators
entityMappings:
- fieldMappings:
  - columnName: IPAddress
    identifier: Address
  entityType: IP
triggerThreshold: 0
requiredDataConnectors:
- connectorId: CyrenThreatIntel
  dataTypes:
  - Cyren_Indicators_CL
query: |
  Cyren_Indicators_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(ip_s)
  | extend Risk = toint(risk_d)
  | where Risk >= 80
  | summarize 
      DetectionCount = count(), 
      MaxRisk = max(Risk), 
      Categories = make_set(category_s) 
    by IP = ip_s, Source = source_s
  | where DetectionCount >= 1
  | extend 
      IPAddress = IP,
      ThreatCategories = strcat_array(Categories, ", ")  
triggerOperator: gt
id: 5d7e8b3a-1f2c-4e5d-9a0b-c1d2e3f4a5b6
tactics:
- CommandAndControl
- Impact
severity: High
customDetails:
  RiskScore: MaxRisk
  DetectionCount: DetectionCount
  Source: Source
  Categories: ThreatCategories
description: |
  'Detects high-risk IP indicators (risk score >= 80) from Cyren threat intelligence feeds in the last 24 hours.
  These IPs are associated with malicious activity such as malware distribution, phishing, or botnet command and control.'  
kind: Scheduled
queryFrequency: 1h
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: Selected
    lookbackDuration: 1d
    reopenClosedIncident: false
    groupByEntities:
    - IP
    enabled: true
  createIncident: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 1d