Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyren High-Risk IP Indicators

Cyren High-Risk IP Indicators

Back
Id5d7e8b3a-1f2c-4e5d-9a0b-c1d2e3f4a5b6
RulenameCyren High-Risk IP Indicators
DescriptionDetects high-risk IP indicators (risk score >= 80) from Cyren threat intelligence feeds in the last 24 hours.

These IPs are associated with malicious activity such as malware distribution, phishing, or botnet command and control.
SeverityHigh
TacticsCommandAndControl
Impact
TechniquesT1071
T1568
Required data connectorsCyrenThreatIntel
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk IP Indicators.yaml
Version1.0.0
Arm template5d7e8b3a-1f2c-4e5d-9a0b-c1d2e3f4a5b6.json
Deploy To Azure
Cyren_Indicators_CL
| where TimeGenerated > ago(1d)
| where isnotempty(ip_s)
| extend Risk = toint(risk_d)
| where Risk >= 80
| summarize 
    DetectionCount = count(), 
    MaxRisk = max(Risk), 
    Categories = make_set(category_s) 
  by IP = ip_s, Source = source_s
| where DetectionCount >= 1
| extend 
    IPAddress = IP,
    ThreatCategories = strcat_array(Categories, ", ")

customDetails:
  DetectionCount: DetectionCount
  Source: Source
  RiskScore: MaxRisk
  Categories: ThreatCategories
triggerOperator: gt
tactics:
- CommandAndControl
- Impact
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: 1d
    matchingMethod: Selected
    groupByEntities:
    - IP
suppressionDuration: 1h
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk IP Indicators.yaml
version: 1.0.0
query: |
  Cyren_Indicators_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(ip_s)
  | extend Risk = toint(risk_d)
  | where Risk >= 80
  | summarize 
      DetectionCount = count(), 
      MaxRisk = max(Risk), 
      Categories = make_set(category_s) 
    by IP = ip_s, Source = source_s
  | where DetectionCount >= 1
  | extend 
      IPAddress = IP,
      ThreatCategories = strcat_array(Categories, ", ")  
triggerThreshold: 0
relevantTechniques:
- T1071
- T1568
queryPeriod: 1d
status: Available
severity: High
kind: Scheduled
name: Cyren High-Risk IP Indicators
queryFrequency: 1h
id: 5d7e8b3a-1f2c-4e5d-9a0b-c1d2e3f4a5b6
description: |
  'Detects high-risk IP indicators (risk score >= 80) from Cyren threat intelligence feeds in the last 24 hours.
  These IPs are associated with malicious activity such as malware distribution, phishing, or botnet command and control.'  
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
  - Cyren_Indicators_CL
  connectorId: CyrenThreatIntel
entityMappings:
- fieldMappings:
  - columnName: IPAddress
    identifier: Address
  entityType: IP