Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyren High-Risk IP Indicators

Cyren High-Risk IP Indicators

Back
Id5d7e8b3a-1f2c-4e5d-9a0b-c1d2e3f4a5b6
RulenameCyren High-Risk IP Indicators
DescriptionDetects high-risk IP indicators (risk score >= 80) from Cyren threat intelligence feeds in the last 24 hours.

These IPs are associated with malicious activity such as malware distribution, phishing, or botnet command and control.
SeverityHigh
TacticsCommandAndControl
Impact
TechniquesT1071
T1568
Required data connectorsCyrenThreatIntel
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk IP Indicators.yaml
Version1.0.0
Arm template5d7e8b3a-1f2c-4e5d-9a0b-c1d2e3f4a5b6.json
Deploy To Azure
Cyren_Indicators_CL
| where TimeGenerated > ago(1d)
| where isnotempty(ip_s)
| extend Risk = toint(risk_d)
| where Risk >= 80
| summarize 
    DetectionCount = count(), 
    MaxRisk = max(Risk), 
    Categories = make_set(category_s) 
  by IP = ip_s, Source = source_s
| where DetectionCount >= 1
| extend 
    IPAddress = IP,
    ThreatCategories = strcat_array(Categories, ", ")

version: 1.0.0
queryFrequency: 1h
kind: Scheduled
suppressionDuration: 1h
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1071
- T1568
triggerOperator: gt
customDetails:
  Categories: ThreatCategories
  RiskScore: MaxRisk
  Source: Source
  DetectionCount: DetectionCount
status: Available
requiredDataConnectors:
- connectorId: CyrenThreatIntel
  dataTypes:
  - Cyren_Indicators_CL
id: 5d7e8b3a-1f2c-4e5d-9a0b-c1d2e3f4a5b6
name: Cyren High-Risk IP Indicators
query: |
  Cyren_Indicators_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(ip_s)
  | extend Risk = toint(risk_d)
  | where Risk >= 80
  | summarize 
      DetectionCount = count(), 
      MaxRisk = max(Risk), 
      Categories = make_set(category_s) 
    by IP = ip_s, Source = source_s
  | where DetectionCount >= 1
  | extend 
      IPAddress = IP,
      ThreatCategories = strcat_array(Categories, ", ")  
queryPeriod: 1d
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk IP Indicators.yaml
triggerThreshold: 0
description: |
  'Detects high-risk IP indicators (risk score >= 80) from Cyren threat intelligence feeds in the last 24 hours.
  These IPs are associated with malicious activity such as malware distribution, phishing, or botnet command and control.'  
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1d
    matchingMethod: Selected
    groupByEntities:
    - IP
    reopenClosedIncident: false
    enabled: true
severity: High
tactics:
- CommandAndControl
- Impact
suppressionEnabled: false