Cisco WSA - Multiple attempts to download unwanted file

Back


Id	46b6c6fc-2c1a-4270-be10-9d444d83f027
Rulename	Cisco WSA - Multiple attempts to download unwanted file
Description	Detects when multiple attempts to download unwanted file occur.
Severity	Medium
Tactics	InitialAccess
Techniques	T1189
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
Version	1.0.2
Arm template	46b6c6fc-2c1a-4270-be10-9d444d83f027.json

KQL

let threshold = 2;
CiscoWSAEvent
| where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
| summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
| where array_length(i_src) >= threshold
| extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal

YAML

query: |
  let threshold = 2;
  CiscoWSAEvent
  | where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
  | summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
  | where array_length(i_src) >= threshold
  | extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal  
version: 1.0.2
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
status: Available
description: |
    'Detects when multiple attempts to download unwanted file occur.'
queryFrequency: 1h
name: Cisco WSA - Multiple attempts to download unwanted file
kind: Scheduled
triggerThreshold: 0
id: 46b6c6fc-2c1a-4270-be10-9d444d83f027
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
severity: Medium
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
  entityType: URL
relevantTechniques:
- T1189
tactics:
- InitialAccess

ARM