Cyble Vision Alerts Website Defacement Content

Alerts_defacement_content  
| where Service == "defacement_content" 
| extend MappedSeverity = Severity

entityMappings:
- entityType: Url
  fieldMappings:
  - identifier: Url
    columnName: DC_URL
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DC_DomainName
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
incidentConfiguration:
  alertDescriptionFormat: |
        New or modified content was detected on website {{DC_DomainName}}. URL {{DC_URL}}. This may indicate unauthorized website updates or defacement activity.
  createIncident: true
  groupingConfiguration:
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  alertDetailsOverride: 
  alertDisplayNameFormat: Defacement Activity Detected {{DC_DomainName}}
id: 91a00e4f-3edb-49e9-ba6f-cec87a5bd2f8
severity: Low
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  AlertID: AlertID
  DC_Keywords: DC_Keywords
  MappedSeverity: Severity
  DC_RecordID: DC_RecordID
  Service: Service
  Status: Status
  DC_DomainName: DC_DomainName
  DC_URL: DC_URL
query: |
  Alerts_defacement_content  
  | where Service == "defacement_content" 
  | extend MappedSeverity = Severity  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Defacement_Content.yaml
kind: Scheduled
queryPeriod: 30m
enabled: true
version: 1.0.0
name: Cyble Vision Alerts Website Defacement Content
queryfrequency: 30m
triggerThreshold: 0
relevantTechniques:
- T1491
description: |
    'Triggers when monitored websites show new or suspicious content referencing known defacement patterns. Supports investigation into potential web compromise incidents.'
triggerOperator: GreaterThan