Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyren High-Risk URL Indicators

Cyren High-Risk URL Indicators

Back
Id6e8f9c4b-2a3b-5c6d-0e1f-d2e3f4a5b6c7
RulenameCyren High-Risk URL Indicators
DescriptionDetects high-risk URL indicators (risk score >= 80) from Cyren malware URL threat intelligence feeds in the last 24 hours.

These URLs are associated with malware distribution, phishing campaigns, or other malicious content hosting.
SeverityHigh
TacticsInitialAccess
Execution
TechniquesT1566
T1189
Required data connectorsCyrenThreatIntel
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk URL Indicators.yaml
Version1.0.0
Arm template6e8f9c4b-2a3b-5c6d-0e1f-d2e3f4a5b6c7.json
Deploy To Azure
Cyren_Indicators_CL
| where TimeGenerated > ago(1d)
| where isnotempty(url_s)
| extend Risk = toint(risk_d)
| where Risk >= 80
| summarize 
    DetectionCount = count(), 
    MaxRisk = max(Risk), 
    Categories = make_set(category_s) 
  by URL = url_s, Domain = domain_s, Source = source_s
| where DetectionCount >= 1
| extend 
    MaliciousURL = URL,
    ThreatCategories = strcat_array(Categories, ", ")

version: 1.0.0
severity: High
query: |
  Cyren_Indicators_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(url_s)
  | extend Risk = toint(risk_d)
  | where Risk >= 80
  | summarize 
      DetectionCount = count(), 
      MaxRisk = max(Risk), 
      Categories = make_set(category_s) 
    by URL = url_s, Domain = domain_s, Source = source_s
  | where DetectionCount >= 1
  | extend 
      MaliciousURL = URL,
      ThreatCategories = strcat_array(Categories, ", ")  
queryPeriod: 1d
status: Available
kind: Scheduled
suppressionEnabled: false
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  DetectionCount: DetectionCount
  Domain: Domain
  Source: Source
  Categories: ThreatCategories
  RiskScore: MaxRisk
tactics:
- InitialAccess
- Execution
triggerOperator: gt
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk URL Indicators.yaml
entityMappings:
- fieldMappings:
  - columnName: MaliciousURL
    identifier: Url
  entityType: URL
suppressionDuration: 1h
name: Cyren High-Risk URL Indicators
triggerThreshold: 0
description: |
  'Detects high-risk URL indicators (risk score >= 80) from Cyren malware URL threat intelligence feeds in the last 24 hours.
  These URLs are associated with malware distribution, phishing campaigns, or other malicious content hosting.'  
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    lookbackDuration: 1d
    matchingMethod: Selected
    groupByEntities:
    - URL
    reopenClosedIncident: false
id: 6e8f9c4b-2a3b-5c6d-0e1f-d2e3f4a5b6c7
relevantTechniques:
- T1566
- T1189
requiredDataConnectors:
- connectorId: CyrenThreatIntel
  dataTypes:
  - Cyren_Indicators_CL