Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyren High-Risk URL Indicators

Cyren High-Risk URL Indicators

Back
Id6e8f9c4b-2a3b-5c6d-0e1f-d2e3f4a5b6c7
RulenameCyren High-Risk URL Indicators
DescriptionDetects high-risk URL indicators (risk score >= 80) from Cyren malware URL threat intelligence feeds in the last 24 hours.

These URLs are associated with malware distribution, phishing campaigns, or other malicious content hosting.
SeverityHigh
TacticsInitialAccess
Execution
TechniquesT1566
T1189
Required data connectorsCyrenThreatIntel
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk URL Indicators.yaml
Version1.0.0
Arm template6e8f9c4b-2a3b-5c6d-0e1f-d2e3f4a5b6c7.json
Deploy To Azure
Cyren_Indicators_CL
| where TimeGenerated > ago(1d)
| where isnotempty(url_s)
| extend Risk = toint(risk_d)
| where Risk >= 80
| summarize 
    DetectionCount = count(), 
    MaxRisk = max(Risk), 
    Categories = make_set(category_s) 
  by URL = url_s, Domain = domain_s, Source = source_s
| where DetectionCount >= 1
| extend 
    MaliciousURL = URL,
    ThreatCategories = strcat_array(Categories, ", ")

incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByEntities:
    - URL
    matchingMethod: Selected
    lookbackDuration: 1d
    reopenClosedIncident: false
    enabled: true
relevantTechniques:
- T1566
- T1189
queryFrequency: 1h
description: |
  'Detects high-risk URL indicators (risk score >= 80) from Cyren malware URL threat intelligence feeds in the last 24 hours.
  These URLs are associated with malware distribution, phishing campaigns, or other malicious content hosting.'  
triggerThreshold: 0
id: 6e8f9c4b-2a3b-5c6d-0e1f-d2e3f4a5b6c7
name: Cyren High-Risk URL Indicators
queryPeriod: 1d
customDetails:
  Domain: Domain
  RiskScore: MaxRisk
  Categories: ThreatCategories
  Source: Source
  DetectionCount: DetectionCount
query: |
  Cyren_Indicators_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(url_s)
  | extend Risk = toint(risk_d)
  | where Risk >= 80
  | summarize 
      DetectionCount = count(), 
      MaxRisk = max(Risk), 
      Categories = make_set(category_s) 
    by URL = url_s, Domain = domain_s, Source = source_s
  | where DetectionCount >= 1
  | extend 
      MaliciousURL = URL,
      ThreatCategories = strcat_array(Categories, ", ")  
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: gt
entityMappings:
- fieldMappings:
  - columnName: MaliciousURL
    identifier: Url
  entityType: URL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk URL Indicators.yaml
requiredDataConnectors:
- connectorId: CyrenThreatIntel
  dataTypes:
  - Cyren_Indicators_CL
suppressionDuration: 1h
status: Available
version: 1.0.0
tactics:
- InitialAccess
- Execution
suppressionEnabled: false
kind: Scheduled