Cisco WSA - Internet access from public IP

Back


Id	4250b050-e1c6-4926-af04-9484bbd7e94f
Rulename	Cisco WSA - Internet access from public IP
Description	Detects internet access from public IP.
Severity	Medium
Tactics	InitialAccess
Techniques	T1189
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAPublicIPSource.yaml
Version	1.0.2
Arm template	4250b050-e1c6-4926-af04-9484bbd7e94f.json

KQL

let ip_except = dynamic(['127.0.0.2']);    //Add exceptions to this list
CiscoWSAEvent
| where ipv4_is_private(SrcIpAddr) == false
| extend IPCustomEntity = SrcIpAddr

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAPublicIPSource.yaml
queryFrequency: 1h
name: Cisco WSA - Internet access from public IP
severity: Medium
triggerThreshold: 0
query: |
  let ip_except = dynamic(['127.0.0.2']);    //Add exceptions to this list
  CiscoWSAEvent
  | where ipv4_is_private(SrcIpAddr) == false
  | extend IPCustomEntity = SrcIpAddr  
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
relevantTechniques:
- T1189
status: Available
triggerOperator: gt
queryPeriod: 1h
description: |
    'Detects internet access from public IP.'
id: 4250b050-e1c6-4926-af04-9484bbd7e94f
version: 1.0.2
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
kind: Scheduled
tactics:
- InitialAccess

ARM