Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyren High-Risk URL Indicators

Cyren High-Risk URL Indicators

Back
Id6e8f9c4b-2a3b-5c6d-0e1f-d2e3f4a5b6c7
RulenameCyren High-Risk URL Indicators
DescriptionDetects high-risk URL indicators (risk score >= 80) from Cyren malware URL threat intelligence feeds in the last 24 hours.

These URLs are associated with malware distribution, phishing campaigns, or other malicious content hosting.
SeverityHigh
TacticsInitialAccess
Execution
TechniquesT1566
T1189
Required data connectorsCyrenThreatIntel
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk URL Indicators.yaml
Version1.0.0
Arm template6e8f9c4b-2a3b-5c6d-0e1f-d2e3f4a5b6c7.json
Deploy To Azure
Cyren_Indicators_CL
| where TimeGenerated > ago(1d)
| where isnotempty(url_s)
| extend Risk = toint(risk_d)
| where Risk >= 80
| summarize 
    DetectionCount = count(), 
    MaxRisk = max(Risk), 
    Categories = make_set(category_s) 
  by URL = url_s, Domain = domain_s, Source = source_s
| where DetectionCount >= 1
| extend 
    MaliciousURL = URL,
    ThreatCategories = strcat_array(Categories, ", ")

name: Cyren High-Risk URL Indicators
query: |
  Cyren_Indicators_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(url_s)
  | extend Risk = toint(risk_d)
  | where Risk >= 80
  | summarize 
      DetectionCount = count(), 
      MaxRisk = max(Risk), 
      Categories = make_set(category_s) 
    by URL = url_s, Domain = domain_s, Source = source_s
  | where DetectionCount >= 1
  | extend 
      MaliciousURL = URL,
      ThreatCategories = strcat_array(Categories, ", ")  
queryFrequency: 1h
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - Cyren_Indicators_CL
  connectorId: CyrenThreatIntel
entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: MaliciousURL
status: Available
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: Selected
    lookbackDuration: 1d
    reopenClosedIncident: false
    enabled: true
    groupByEntities:
    - URL
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk URL Indicators.yaml
description: |
  'Detects high-risk URL indicators (risk score >= 80) from Cyren malware URL threat intelligence feeds in the last 24 hours.
  These URLs are associated with malware distribution, phishing campaigns, or other malicious content hosting.'  
version: 1.0.0
id: 6e8f9c4b-2a3b-5c6d-0e1f-d2e3f4a5b6c7
kind: Scheduled
suppressionEnabled: false
relevantTechniques:
- T1566
- T1189
customDetails:
  Domain: Domain
  RiskScore: MaxRisk
  Source: Source
  Categories: ThreatCategories
  DetectionCount: DetectionCount
suppressionDuration: 1h
severity: High
tactics:
- InitialAccess
- Execution
queryPeriod: 1d