Cisco WSA - Internet access from public IP

Back


Id	4250b050-e1c6-4926-af04-9484bbd7e94f
Rulename	Cisco WSA - Internet access from public IP
Description	Detects internet access from public IP.
Severity	Medium
Tactics	InitialAccess
Techniques	T1189
Required data connectors	CiscoWSA
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAPublicIPSource.yaml
Version	1.0.0
Arm template	4250b050-e1c6-4926-af04-9484bbd7e94f.json

KQL

let ip_except = dynamic(['127.0.0.2']);    //Add exceptions to this list
CiscoWSAEvent
| where ipv4_is_private(SrcIpAddr) == false
| extend IPCustomEntity = SrcIpAddr

YAML

kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAPublicIPSource.yaml
severity: Medium
name: Cisco WSA - Internet access from public IP
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
relevantTechniques:
- T1189
queryFrequency: 1h
triggerThreshold: 0
queryPeriod: 1h
description: |
    'Detects internet access from public IP.'
id: 4250b050-e1c6-4926-af04-9484bbd7e94f
version: 1.0.0
tactics:
- InitialAccess
query: |
  let ip_except = dynamic(['127.0.0.2']);    //Add exceptions to this list
  CiscoWSAEvent
  | where ipv4_is_private(SrcIpAddr) == false
  | extend IPCustomEntity = SrcIpAddr  
status: Available
requiredDataConnectors:
- dataTypes:
  - CiscoWSAEvent
  connectorId: CiscoWSA
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4250b050-e1c6-4926-af04-9484bbd7e94f')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4250b050-e1c6-4926-af04-9484bbd7e94f')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Cisco WSA - Internet access from public IP",
        "description": "'Detects internet access from public IP.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let ip_except = dynamic(['127.0.0.2']);    //Add exceptions to this list\nCiscoWSAEvent\n| where ipv4_is_private(SrcIpAddr) == false\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1189"
        ],
        "alertRuleTemplateName": "4250b050-e1c6-4926-af04-9484bbd7e94f",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAPublicIPSource.yaml",
        "status": "Available",
        "templateVersion": "1.0.0"
      }
    }
  ]
}