Alerts_suspicious_domains
| where Service == "suspicious_domain"
| extend MappedSeverity = Severity
name: Cyble Vision Alerts Suspicious Domain
query: |
Alerts_suspicious_domains
| where Service == "suspicious_domain"
| extend MappedSeverity = Severity
enabled: true
entityMappings:
- entityType: DNS
fieldMappings:
- columnName: Domain
identifier: DomainName
subTechniques: []
queryPeriod: 30m
version: 1.0.0
tactics:
- Reconnaissance
suppressionDuration: PT5H
triggerOperator: GreaterThan
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Suspicious_Domain.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: PT5H
matchingMethod: AllEntities
createIncident: true
relevantTechniques:
- T1595
id: c56fcb78-b708-4a92-bad4-d50b1e15c42c
customDetails:
LastLiveCheck: SD_LastLiveCheck
A_Records: A_Records
AlertID: AlertID
Score: SD_Score
MX_Records: MX_Records
Service: Service
MappedSeverity: Severity
NS_Records: NS_Records
RegistrationDate: SD_RegistrationDate
Screenshot: SD_ScreenshotURL
Domain: Domain
Status: Status
Keyword: KeywordName
LiveStatus: SD_IsLive
severity: Low
requiredDataConnectors:
- connectorId: CybleVisionAlerts
dataTypes:
- CybleVisionAlerts_CL
status: Available
description: |
'This Rule generates Cyble Vision Alerts for Service - Suspicious Domain severity LOW'
alertDetailsOverride:
alertDescriptionFormat: |
Suspicious Domain detected for {{Domain}} with {{Status}}
alertDisplayNameFormat: Suspicious Domain Detected {{Domain}} {{Status}}
alertDynamicProperties: []
queryFrequency: 30m
