Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cyren High-Risk URL Indicators

Back
Id6e8f9c4b-2a3b-5c6d-0e1f-d2e3f4a5b6c7
RulenameCyren High-Risk URL Indicators
DescriptionDetects high-risk URL indicators (risk score >= 80) from Cyren malware URL threat intelligence feeds in the last 24 hours.

These URLs are associated with malware distribution, phishing campaigns, or other malicious content hosting.
SeverityHigh
TacticsInitialAccess
Execution
TechniquesT1566
T1189
Required data connectorsCyrenThreatIntel
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk URL Indicators.yaml
Version1.0.0
Arm template6e8f9c4b-2a3b-5c6d-0e1f-d2e3f4a5b6c7.json
Deploy To Azure
Cyren_Indicators_CL
| where TimeGenerated > ago(1d)
| where isnotempty(url_s)
| extend Risk = toint(risk_d)
| where Risk >= 80
| summarize 
    DetectionCount = count(), 
    MaxRisk = max(Risk), 
    Categories = make_set(category_s) 
  by URL = url_s, Domain = domain_s, Source = source_s
| where DetectionCount >= 1
| extend 
    MaliciousURL = URL,
    ThreatCategories = strcat_array(Categories, ", ")
entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: MaliciousURL
tactics:
- InitialAccess
- Execution
suppressionEnabled: false
suppressionDuration: 1h
requiredDataConnectors:
- dataTypes:
  - Cyren_Indicators_CL
  connectorId: CyrenThreatIntel
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: 1d
    groupByEntities:
    - URL
    enabled: true
    matchingMethod: Selected
  createIncident: true
id: 6e8f9c4b-2a3b-5c6d-0e1f-d2e3f4a5b6c7
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  DetectionCount: DetectionCount
  Source: Source
  Categories: ThreatCategories
  RiskScore: MaxRisk
  Domain: Domain
query: |
  Cyren_Indicators_CL
  | where TimeGenerated > ago(1d)
  | where isnotempty(url_s)
  | extend Risk = toint(risk_d)
  | where Risk >= 80
  | summarize 
      DetectionCount = count(), 
      MaxRisk = max(Risk), 
      Categories = make_set(category_s) 
    by URL = url_s, Domain = domain_s, Source = source_s
  | where DetectionCount >= 1
  | extend 
      MaliciousURL = URL,
      ThreatCategories = strcat_array(Categories, ", ")  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - High Risk URL Indicators.yaml
kind: Scheduled
queryPeriod: 1d
version: 1.0.0
name: Cyren High-Risk URL Indicators
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1566
- T1189
description: |
  'Detects high-risk URL indicators (risk score >= 80) from Cyren malware URL threat intelligence feeds in the last 24 hours.
  These URLs are associated with malware distribution, phishing campaigns, or other malicious content hosting.'  
triggerOperator: gt