-
Notifications
You must be signed in to change notification settings - Fork 2.9k
/
DangerousLinksClicked.yaml
51 lines (51 loc) · 1.28 KB
/
DangerousLinksClicked.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
id: a896123e-03a5-4a4d-a7e3-fd814846dfb2
name: Egress Defend - Dangerous Link Click
description: |
'Defend has detected a user has clicked a dangerous link in their mailbox.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: EgressDefend
dataTypes:
- EgressDefend_CL
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
relevantTechniques:
- T1204
- T0853
tags:
- Defend
query: |
DefendAuditData
| where LinksClicked > 0
| where ThreatLevel == "dangerous" or ThreatLevel == "suspicious"
| extend Account_0_FullName = trim(@"[^@.\w]+",Recipients)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Account_0_FullName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SenderIP
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Url
- entityType: Mailbox
fieldMappings:
- identifier: MailboxPrimaryAddress
columnName: Account_0_FullName
customDetails:
DefendSenderIP: SenderIP
DefendSender: From
timesClicked: LinksClicked
alertDetailsOverride:
alertDisplayNameFormat: Alert - {{Account_0_FullName}} as clicked a suspicious link.
version: 1.0.0
kind: Scheduled