User Accessed Suspicious URL Categories

SymantecProxySG
| mv-expand cs_categories
| where cs_categories has_any ("Suspicious","phishing", "hacking")
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)

severity: Medium
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml
id: fb0f4a93-d8ad-4b54-9931-85bdb7550f90
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: cs_userdn
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: c_ip
  entityType: IP
kind: Scheduled
status: Available
tactics:
- InitialAccess
- CommandAndControl
queryFrequency: 1h
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
relevantTechniques:
- T1566
- T1071
version: 1.0.5
description: |
    'Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.'
triggerThreshold: 0
query: |
  SymantecProxySG
  | mv-expand cs_categories
  | where cs_categories has_any ("Suspicious","phishing", "hacking")
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)  
queryPeriod: 1h
name: User Accessed Suspicious URL Categories