Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyren High-Risk URL Indicators

Cyren High-Risk URL Indicators

Back
Id6e8f9c4b-2a3b-5c6d-0e1f-d2e3f4a5b6c7
RulenameCyren High-Risk URL Indicators
DescriptionDetects high-risk URL indicators (risk score >= 80) from Cyren malware URL threat intelligence feeds in the last 24 hours.

These URLs are associated with malware distribution, phishing campaigns, or other malicious content hosting.
SeverityHigh
TacticsInitialAccess
Execution
TechniquesT1566
T1189
Required data connectorsCyrenThreatIntel
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk URL Indicators.yaml
Version1.0.0
Arm template6e8f9c4b-2a3b-5c6d-0e1f-d2e3f4a5b6c7.json
Deploy To Azure
Cyren_Indicators_CL
| where TimeGenerated > ago(1d)
| where isnotempty(url_s)
| extend Risk = toint(risk_d)
| where Risk >= 80
| summarize 
    DetectionCount = count(), 
    MaxRisk = max(Risk), 
    Categories = make_set(category_s) 
  by URL = url_s, Domain = domain_s, Source = source_s
| where DetectionCount >= 1
| extend 
    MaliciousURL = URL,
    ThreatCategories = strcat_array(Categories, ", ")

requiredDataConnectors:
- dataTypes:
  - Cyren_Indicators_CL
  connectorId: CyrenThreatIntel
queryPeriod: 1d
triggerThreshold: 0
queryFrequency: 1h
suppressionDuration: 1h
status: Available
severity: High
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: Selected
    groupByEntities:
    - URL
    enabled: true
    lookbackDuration: 1d
description: |
  'Detects high-risk URL indicators (risk score >= 80) from Cyren malware URL threat intelligence feeds in the last 24 hours.
  These URLs are associated with malware distribution, phishing campaigns, or other malicious content hosting.'  
name: Cyren High-Risk URL Indicators
kind: Scheduled
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: MaliciousURL
  entityType: URL
triggerOperator: gt
id: 6e8f9c4b-2a3b-5c6d-0e1f-d2e3f4a5b6c7
eventGroupingSettings:
  aggregationKind: AlertPerResult
tactics:
- InitialAccess
- Execution
relevantTechniques:
- T1566
- T1189
customDetails:
  Domain: Domain
  DetectionCount: DetectionCount
  RiskScore: MaxRisk
  Source: Source
  Categories: ThreatCategories
suppressionEnabled: false
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk URL Indicators.yaml
query: |
  Cyren_Indicators_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(url_s)
  | extend Risk = toint(risk_d)
  | where Risk >= 80
  | summarize 
      DetectionCount = count(), 
      MaxRisk = max(Risk), 
      Categories = make_set(category_s) 
    by URL = url_s, Domain = domain_s, Source = source_s
  | where DetectionCount >= 1
  | extend 
      MaliciousURL = URL,
      ThreatCategories = strcat_array(Categories, ", ")