Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyren High-Risk IP Indicators

Cyren High-Risk IP Indicators

Back
Id5d7e8b3a-1f2c-4e5d-9a0b-c1d2e3f4a5b6
RulenameCyren High-Risk IP Indicators
DescriptionDetects high-risk IP indicators (risk score >= 80) from Cyren threat intelligence feeds in the last 24 hours.

These IPs are associated with malicious activity such as malware distribution, phishing, or botnet command and control.
SeverityHigh
TacticsCommandAndControl
Impact
TechniquesT1071
T1568
Required data connectorsCyrenThreatIntel
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk IP Indicators.yaml
Version1.0.0
Arm template5d7e8b3a-1f2c-4e5d-9a0b-c1d2e3f4a5b6.json
Deploy To Azure
Cyren_Indicators_CL
| where TimeGenerated > ago(1d)
| where isnotempty(ip_s)
| extend Risk = toint(risk_d)
| where Risk >= 80
| summarize 
    DetectionCount = count(), 
    MaxRisk = max(Risk), 
    Categories = make_set(category_s) 
  by IP = ip_s, Source = source_s
| where DetectionCount >= 1
| extend 
    IPAddress = IP,
    ThreatCategories = strcat_array(Categories, ", ")

customDetails:
  RiskScore: MaxRisk
  Source: Source
  Categories: ThreatCategories
  DetectionCount: DetectionCount
suppressionDuration: 1h
kind: Scheduled
queryFrequency: 1h
queryPeriod: 1d
version: 1.0.0
status: Available
suppressionEnabled: false
tactics:
- CommandAndControl
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk IP Indicators.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    groupByEntities:
    - IP
    lookbackDuration: 1d
    enabled: true
    matchingMethod: Selected
  createIncident: true
triggerThreshold: 0
description: |
  'Detects high-risk IP indicators (risk score >= 80) from Cyren threat intelligence feeds in the last 24 hours.
  These IPs are associated with malicious activity such as malware distribution, phishing, or botnet command and control.'  
severity: High
relevantTechniques:
- T1071
- T1568
id: 5d7e8b3a-1f2c-4e5d-9a0b-c1d2e3f4a5b6
name: Cyren High-Risk IP Indicators
requiredDataConnectors:
- dataTypes:
  - Cyren_Indicators_CL
  connectorId: CyrenThreatIntel
query: |
  Cyren_Indicators_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(ip_s)
  | extend Risk = toint(risk_d)
  | where Risk >= 80
  | summarize 
      DetectionCount = count(), 
      MaxRisk = max(Risk), 
      Categories = make_set(category_s) 
    by IP = ip_s, Source = source_s
  | where DetectionCount >= 1
  | extend 
      IPAddress = IP,
      ThreatCategories = strcat_array(Categories, ", ")  
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPAddress
  entityType: IP
triggerOperator: gt