Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts Malicious Ads Detected

Cyble Vision Alerts Malicious Ads Detected

Back
Idcf0a9691-5716-42e0-bfa1-49b35d3a7892
RulenameCyble Vision Alerts Malicious Ads Detected
DescriptionGenerates an incident when Cyble Intelligence detects a malicious advertisement, malvertising activity, or redirect attempting to impersonate a legitimate brand.
SeverityLow
TacticsInitialAccess
Execution
TechniquesT1189
T1566
T1059
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Malicious_ads.yaml
Version1.0.0
Arm templatecf0a9691-5716-42e0-bfa1-49b35d3a7892.json
Deploy To Azure
Alerts_malicious_ads
| where Service == "malicious_ads"
| extend MappedSeverity = Severity

kind: Scheduled
triggerThreshold: 0
customDetails:
  AlertID: AlertID
  Domain: MA_Domain_URL
  Status: Status
  IsLive: MA_IsLive
  Keyword: MA_Keyword_Nested
  MappedSeverity: Severity
  Service: Service
tactics:
- InitialAccess
- Execution
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
    'Generates an incident when Cyble Intelligence detects a malicious advertisement, malvertising activity, or redirect attempting to impersonate a legitimate brand.'
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
queryPeriod: 30m
version: 1.0.0
severity: Low
enabled: true
entityMappings:
- fieldMappings:
  - columnName: MA_Domain_URL
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: MA_DomainName_Nested
    identifier: DomainName
  entityType: DNS
queryFrequency: 30m
id: cf0a9691-5716-42e0-bfa1-49b35d3a7892
status: Available
name: Cyble Vision Alerts Malicious Ads Detected
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Malicious_ads.yaml
triggerOperator: GreaterThan
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    enabled: false
    lookbackDuration: PT5H
  alertDetailsOverride: 
  alertDescriptionFormat: |
    Cyble Intelligence detected a malicious advertisement or suspicious redirect.
    Domain {{MA_Domain_URL}}
    Brand/Keyword {{MA_Keyword_Nested}}
    Status Code {{MA_StatusCode}}    
  alertDisplayNameFormat: Malicious Ad Detected  {{MA_DomainName_Nested}}
relevantTechniques:
- T1189
- T1566
- T1059
suppressionDuration: PT5M
query: |
  Alerts_malicious_ads
  | where Service == "malicious_ads"
  | extend MappedSeverity = Severity