Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts Hacktivism

Cyble Vision Alerts Hacktivism

Back
Id6649e5a0-0365-452f-84b3-448a0aec7a59
RulenameCyble Vision Alerts Hacktivism
DescriptionDetects hacktivist activity (Telegram posts, defacements, site takedowns, etc.) using the Alerts_Hacktivism parser. Extracts post content, attacker/team,domains, links, IPs, media and metadata for triage.
SeverityLow
TacticsReconnaissance
Impact
ResourceDevelopment
TechniquesT1595
T1491
T1498
T1585
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_hacktivism.yaml
Version1.0.0
Arm template6649e5a0-0365-452f-84b3-448a0aec7a59.json
Deploy To Azure
Alerts_hacktivism 
| where Service contains "hacktivism" 
| extend Mappedseverity = Severity

suppressionDuration: PT5H
status: Available
subTechniques: []
queryPeriod: 30m
triggerOperator: GreaterThan
eventGroupingSettings:
  aggregationKind: AlertPerResult
enabled: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_hacktivism.yaml
queryFrequency: 30m
tactics:
- Reconnaissance
- Impact
- ResourceDevelopment
triggerThreshold: 0
query: |
  Alerts_hacktivism 
  | where Service contains "hacktivism" 
  | extend Mappedseverity = Severity  
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: HK_AttackerTeam
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: HK_All_URLs
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: HK_All_Domains
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: HK_IP
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
alertDetailsOverride:
  alertDescriptionFormat: |
        Hacktivism activity detected. Attacker/Team {{HK_AttackerTeam}} Post excerpt {{HK_PostData}} Domains/Links {{HK_All_Domains}}
  alertDisplayNameFormat: CybleVision Hacktivism {{HK_ChannelName}} / {{HK_AttackerTeam}}
  alertDynamicProperties: []
relevantTechniques:
- T1595
- T1491
- T1498
- T1585
customDetails:
  PostText: HK_PostData
  Status: Status
  Server: HK_Server
  Tags: HK_Tags
  Attacker: HK_Attacker
  SourceWebsite: HK_SourceWebsite
  ChannelName: HK_ChannelName
  PostID: HK_PostID
  Source: HK_SourceWebsite
  WebsiteURL: HK_WebsiteURL
  MappedSeverity: Severity
  Phones: HK_Phones
  Emails: HK_Emails
  PostedAt: HK_PostedAt
  ChannelLink: HK_ChannelLink
  TargetDomain: HK_Domain
  AlertID: AlertID
  Service: Service
description: |
    'Detects hacktivist activity (Telegram posts, defacements, site takedowns, etc.) using the Alerts_Hacktivism parser. Extracts post content, attacker/team,domains, links, IPs, media and metadata for triage.'
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: PT5H
    enabled: false
  createIncident: true
name: Cyble Vision Alerts Hacktivism
version: 1.0.0
kind: Scheduled
id: 6649e5a0-0365-452f-84b3-448a0aec7a59
severity: Low