Malicious Redirector Informational

Back


Id	ed036278-9fec-4152-ac73-366f138fc679
Rulename	Malicious Redirector (Informational)
Description	New Malicious Redirector with severity Informational found
Severity	Informational
Tactics	InitialAccess
Techniques	T1566
Required data connectors	CBSPollingIDAzureFunctions
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/malicious_redirector_informational.yaml
Version	1.0.0
Arm template	ed036278-9fec-4152-ac73-366f138fc679.json

KQL

CBSLog_Azure_1_CL | where severity_s == "Informational" | where type_s == "Malicious Redirector" | where status_s != "Closed" or status_s != "Resolved"

YAML

kind: Scheduled
requiredDataConnectors:
- dataTypes:
  - CBSLog_Azure_1_CL
  connectorId: CBSPollingIDAzureFunctions
relevantTechniques:
- T1566
status: Available
tactics:
- InitialAccess
eventGroupingSettings:
  aggregationKind: SingleAlert
suppressionDuration: 5h
suppressionEnabled: false
name: Malicious Redirector (Informational)
queryFrequency: 5m
query: CBSLog_Azure_1_CL | where severity_s == "Informational" | where type_s == "Malicious Redirector" | where status_s != "Closed" or status_s != "Resolved"
id: ed036278-9fec-4152-ac73-366f138fc679
severity: Informational
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Analytic Rules/malicious_redirector_informational.yaml
version: 1.0.0
description: New Malicious Redirector with severity Informational found
triggerThreshold: 0
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    enabled: false
    reopenClosedIncident: false
  createIncident: true
triggerOperator: gt

ARM