Rule to detect the presence of an or several urls

Hunt Hypothesis

The presence of URLs in logs may indicate potential command and control communication or data exfiltration attempts by adversaries. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could lead to persistent malware activity or data breaches.

YARA Rule

rule with_urls : mail {
	meta:
		author = "Antonio Sanchez <[email protected]>"
		reference = "http://laboratorio.blogs.hispasec.com/"
		description = "Rule to detect the presence of an or several urls"
	strings:
                $eml_01 = "From:"
                $eml_02 = "To:"
                $eml_03 = "Subject:"

		$url_regex = /https?:\/\/([\w\.-]+)([\/\w \.-]*)/
	condition:
		all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• http://laboratorio.blogs.hispasec.com/
• Source Rule

False Positive Guidance

• Scenario: Scheduled Job for Log File Archival
  Description: A scheduled job runs nightly to archive log files, which may include URLs as part of log entries (e.g., access logs from a web server).
  Filter/Exclusion: Exclude events where the URL is part of a log file path or contains a known log file pattern (e.g., *.log, access.log, error.log). Use a filter like:

  (file_name contains "access.log" or file_name contains "error.log")

• Scenario: System Update or Patch Deployment
  Description: A system update or patch deployment tool (e.g., Ansible, Puppet, Chef) may include URLs for downloading packages or configuration files.
  Filter/Exclusion: Exclude events where the URL is associated with a known update tool or package repository (e.g., *.deb, *.rpm, https://repo.example.com). Use a filter like:

  (url contains "repo.example.com" or url contains ".deb" or url contains ".rpm")

• Scenario: User-Initiated File Download
  Description: A user may download a file from an internal or external URL as part of their daily tasks (e.g., downloading a report from a SharePoint site or a file from a cloud storage service).
  Filter/Exclusion: Exclude events where the URL is from a known internal file server or cloud storage (e.g., sharepoint.example.com, onedrive.example.com). Use a filter like:

  (url contains "sharepoint.example.com" or url contains "onedrive.example.com")

• Scenario: Network Monitoring Tool Reporting
  Description: A network monitoring tool (e.g., PRTG, Nagios, SolarWinds) may report URLs