Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyren Feed Outage Detection

Cyren Feed Outage Detection

Back
Id7f9a0d5c-3b4c-6d7e-1f2a-e3f4a5b6c7d8
RulenameCyren Feed Outage Detection
DescriptionDetects when the Cyren threat intelligence feed has not ingested any data for 6 or more hours.

This may indicate a connectivity issue with the data connector, API authentication problems, or upstream service disruption.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsCyrenThreatIntel
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - Feed Outage Detection.yaml
Version1.0.0
Arm template7f9a0d5c-3b4c-6d7e-1f2a-e3f4a5b6c7d8.json
Deploy To Azure
Cyren_Indicators_CL
| where TimeGenerated >= ago(24h)
| summarize 
    Total = count(), 
    Latest = max(TimeGenerated)
| extend HoursAgo = datetime_diff('hour', now(), Latest)
| where isnotempty(Latest) and HoursAgo >= 6
| project 
    LatestEventTime = Latest, 
    HoursSinceLastEvent = HoursAgo, 
    TotalEventsLast24h = Total,
    AlertMessage = strcat("Cyren feed has not received data for ", HoursAgo, " hours")

kind: Scheduled
triggerThreshold: 0
relevantTechniques:
- T1562
query: |
  Cyren_Indicators_CL
  | where TimeGenerated >= ago(24h)
  | summarize 
      Total = count(), 
      Latest = max(TimeGenerated)
  | extend HoursAgo = datetime_diff('hour', now(), Latest)
  | where isnotempty(Latest) and HoursAgo >= 6
  | project 
      LatestEventTime = Latest, 
      HoursSinceLastEvent = HoursAgo, 
      TotalEventsLast24h = Total,
      AlertMessage = strcat("Cyren feed has not received data for ", HoursAgo, " hours")  
triggerOperator: gt
name: Cyren Feed Outage Detection
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    lookbackDuration: 1d
    reopenClosedIncident: false
    matchingMethod: Selected
  createIncident: true
version: 1.0.0
severity: Medium
eventGroupingSettings:
  aggregationKind: SingleAlert
requiredDataConnectors:
- connectorId: CyrenThreatIntel
  dataTypes:
  - Cyren_Indicators_CL
description: |
  'Detects when the Cyren threat intelligence feed has not ingested any data for 6 or more hours.
  This may indicate a connectivity issue with the data connector, API authentication problems, or upstream service disruption.'  
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyrenThreatIntelligence/Analytic Rules/Cyren - Feed Outage Detection.yaml
suppressionEnabled: false
customDetails:
  LatestEventTime: LatestEventTime
  HoursSinceLastEvent: HoursSinceLastEvent
  TotalEventsLast24h: TotalEventsLast24h
queryFrequency: 1h
tactics:
- DefenseEvasion
status: Available
suppressionDuration: 1h
id: 7f9a0d5c-3b4c-6d7e-1f2a-e3f4a5b6c7d8