38 строки
1.2 KiB
YAML
38 строки
1.2 KiB
YAML
id: fb0f4a93-d8ad-4b54-9931-85bdb7550f90
|
|
name: User Accessed Suspicious URL Categories
|
|
description: |
|
|
'Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.'
|
|
severity: Medium
|
|
requiredDataConnectors:
|
|
- connectorId: SymantecProxySG
|
|
dataTypes:
|
|
- Syslog
|
|
queryFrequency: 1h
|
|
queryPeriod: 1h
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- DefenseEvasion
|
|
relevantTechniques:
|
|
- T1090
|
|
query: |
|
|
|
|
SymantecProxySG
|
|
| mv-expand cs_categories
|
|
| where cs_categories has_any ("Suspicious","phishing", "hacking")
|
|
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)
|
|
| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: HostCustomEntity
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: IPCustomEntity
|
|
version: 1.0.0 |