Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. User Accessed Suspicious URL Categories

User Accessed Suspicious URL Categories

Back
Idfb0f4a93-d8ad-4b54-9931-85bdb7550f90
RulenameUser Accessed Suspicious URL Categories
DescriptionCreates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.
SeverityMedium
TacticsDefenseEvasion
Required data connectorsSymantecProxySG
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml
Version1.0.1
Arm templatefb0f4a93-d8ad-4b54-9931-85bdb7550f90.json
Deploy To Azure
SymantecProxySG
| mv-expand cs_categories
| where cs_categories has_any ("Suspicious","phishing", "hacking")
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)
| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml
triggerOperator: gt
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: SymantecProxySG
queryPeriod: 1h
version: 1.0.1
query: |
  SymantecProxySG
  | mv-expand cs_categories
  | where cs_categories has_any ("Suspicious","phishing", "hacking")
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)
  | extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer  
tactics:
- DefenseEvasion
severity: Medium
name: User Accessed Suspicious URL Categories
description: |
    'Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.'
queryFrequency: 1h
triggerThreshold: 0
status: Available
id: fb0f4a93-d8ad-4b54-9931-85bdb7550f90

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb0f4a93-d8ad-4b54-9931-85bdb7550f90')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb0f4a93-d8ad-4b54-9931-85bdb7550f90')]",
      "properties": {
        "alertRuleTemplateName": "fb0f4a93-d8ad-4b54-9931-85bdb7550f90",
        "customDetails": null,
        "description": "'Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.'\n",
        "displayName": "User Accessed Suspicious URL Categories",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml",
        "query": "SymantecProxySG\n| mv-expand cs_categories\n| where cs_categories has_any (\"Suspicious\",\"phishing\", \"hacking\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}