Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco WSA - Unexpected URL

Cisco WSA - Unexpected URL

Back
Id010644fd-2830-4451-9e0e-606cc192f2e7
RulenameCisco WSA - Unexpected URL
DescriptionDetects unexpected URL.
SeverityMedium
TacticsCommandAndControl
TechniquesT1102
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAUnexpectedUrl.yaml
Version1.0.2
Arm template010644fd-2830-4451-9e0e-606cc192f2e7.json
Deploy To Azure
let threshold = 5;
CiscoWSAEvent
| where UrlOriginal matches regex @'\Ahttp(s)?[:][/][/]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
| extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName

entityMappings:
- fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
triggerOperator: gt
tactics:
- CommandAndControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAUnexpectedUrl.yaml
version: 1.0.2
query: |
  let threshold = 5;
  CiscoWSAEvent
  | where UrlOriginal matches regex @'\Ahttp(s)?[:][/][/]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
  | extend URLCustomEntity = UrlOriginal, AccountCustomEntity = SrcUserName  
triggerThreshold: 0
relevantTechniques:
- T1102
queryPeriod: 1h
status: Available
severity: Medium
kind: Scheduled
name: Cisco WSA - Unexpected URL
queryFrequency: 1h
id: 010644fd-2830-4451-9e0e-606cc192f2e7
description: |
    'Detects unexpected URL.'
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma