Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco WSA - Multiple attempts to download unwanted file

Back
Id46b6c6fc-2c1a-4270-be10-9d444d83f027
RulenameCisco WSA - Multiple attempts to download unwanted file
DescriptionDetects when multiple attempts to download unwanted file occur.
SeverityMedium
TacticsInitialAccess
TechniquesT1189
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
Version1.0.2
Arm template46b6c6fc-2c1a-4270-be10-9d444d83f027.json
Deploy To Azure
let threshold = 2;
CiscoWSAEvent
| where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
| summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
| where array_length(i_src) >= threshold
| extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
queryFrequency: 1h
name: Cisco WSA - Multiple attempts to download unwanted file
severity: Medium
triggerThreshold: 0
query: |
  let threshold = 2;
  CiscoWSAEvent
  | where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
  | summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
  | where array_length(i_src) >= threshold
  | extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal  
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
relevantTechniques:
- T1189
status: Available
triggerOperator: gt
queryPeriod: 1h
description: |
    'Detects when multiple attempts to download unwanted file occur.'
id: 46b6c6fc-2c1a-4270-be10-9d444d83f027
version: 1.0.2
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
  entityType: URL
kind: Scheduled
tactics:
- InitialAccess