Alerts_defacement_content
| where Service == "defacement_content"
| extend MappedSeverity = Severity
customDetails:
Status: Status
DC_RecordID: DC_RecordID
Service: Service
DC_DomainName: DC_DomainName
DC_Keywords: DC_Keywords
MappedSeverity: Severity
AlertID: AlertID
DC_URL: DC_URL
severity: Low
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Defacement_Content.yaml
query: |
Alerts_defacement_content
| where Service == "defacement_content"
| extend MappedSeverity = Severity
requiredDataConnectors:
- dataTypes:
- CybleVisionAlerts_CL
connectorId: CybleVisionAlerts
incidentConfiguration:
alertDetailsOverride:
alertDisplayNameFormat: Defacement Activity Detected {{DC_DomainName}}
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
enabled: false
matchingMethod: AllEntities
lookbackDuration: PT5H
alertDescriptionFormat: |
New or modified content was detected on website {{DC_DomainName}}. URL {{DC_URL}}. This may indicate unauthorized website updates or defacement activity.
relevantTechniques:
- T1491
kind: Scheduled
name: Cyble Vision Alerts Website Defacement Content
tactics:
- Impact
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
- identifier: Url
columnName: DC_URL
entityType: Url
- fieldMappings:
- identifier: HostName
columnName: DC_DomainName
entityType: Host
enabled: true
queryfrequency: 30m
description: |
'Triggers when monitored websites show new or suspicious content referencing known defacement patterns. Supports investigation into potential web compromise incidents.'
triggerThreshold: 0
triggerOperator: GreaterThan
version: 1.0.0
queryPeriod: 30m
id: 91a00e4f-3edb-49e9-ba6f-cec87a5bd2f8
