Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco WSA - Access to unwanted site

Back
Id38029e86-030c-46c4-8a91-a2be7c74d74c
RulenameCisco WSA - Access to unwanted site
DescriptionDetects when users attempting to access sites from high risk category.
SeverityHigh
TacticsInitialAccess
TechniquesT1566
Required data connectorsCiscoWSA
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAAccessToUnwantedSite.yaml
Version1.0.1
Arm template38029e86-030c-46c4-8a91-a2be7c74d74c.json
Deploy To Azure
let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
CiscoWSAEvent
| where UrlCategory in~ (risky_sites)
| where DvcAction =~ 'DEFAULT_CASE'
| extend AccountCustomEntity = SrcUserName
name: Cisco WSA - Access to unwanted site
query: |
  let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);
  CiscoWSAEvent
  | where UrlCategory in~ (risky_sites)
  | where DvcAction =~ 'DEFAULT_CASE'
  | extend AccountCustomEntity = SrcUserName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAAccessToUnwantedSite.yaml
queryFrequency: 1h
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - CiscoWSAEvent
  connectorId: CiscoWSA
version: 1.0.1
status: Available
queryPeriod: 1h
id: 38029e86-030c-46c4-8a91-a2be7c74d74c
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
relevantTechniques:
- T1566
severity: High
description: |
    'Detects when users attempting to access sites from high risk category.'
kind: Scheduled
tactics:
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/38029e86-030c-46c4-8a91-a2be7c74d74c')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/38029e86-030c-46c4-8a91-a2be7c74d74c')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Cisco WSA - Access to unwanted site",
        "description": "'Detects when users attempting to access sites from high risk category.'\n",
        "severity": "High",
        "enabled": true,
        "query": "let risky_sites = dynamic(['IW_adlt', 'IW_hack', 'IW_porn']);\nCiscoWSAEvent\n| where UrlCategory in~ (risky_sites)\n| where DvcAction =~ 'DEFAULT_CASE'\n| extend AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "alertRuleTemplateName": "38029e86-030c-46c4-8a91-a2be7c74d74c",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAAccessToUnwantedSite.yaml"
      }
    }
  ]
}