Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco WSA - Multiple attempts to download unwanted file

Back
Id46b6c6fc-2c1a-4270-be10-9d444d83f027
RulenameCisco WSA - Multiple attempts to download unwanted file
DescriptionDetects when multiple attempts to download unwanted file occur.
SeverityMedium
TacticsInitialAccess
TechniquesT1189
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
Version1.0.2
Arm template46b6c6fc-2c1a-4270-be10-9d444d83f027.json
Deploy To Azure
let threshold = 2;
CiscoWSAEvent
| where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
| summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
| where array_length(i_src) >= threshold
| extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal
version: 1.0.2
queryFrequency: 1h
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
name: Cisco WSA - Multiple attempts to download unwanted file
triggerOperator: gt
id: 46b6c6fc-2c1a-4270-be10-9d444d83f027
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
description: |
    'Detects when multiple attempts to download unwanted file occur.'
queryPeriod: 1h
query: |
  let threshold = 2;
  CiscoWSAEvent
  | where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
  | summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
  | where array_length(i_src) >= threshold
  | extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal  
relevantTechniques:
- T1189
status: Available
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
triggerThreshold: 0
kind: Scheduled
tactics:
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/46b6c6fc-2c1a-4270-be10-9d444d83f027')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/46b6c6fc-2c1a-4270-be10-9d444d83f027')]",
      "properties": {
        "alertRuleTemplateName": "46b6c6fc-2c1a-4270-be10-9d444d83f027",
        "customDetails": null,
        "description": "'Detects when multiple attempts to download unwanted file occur.'\n",
        "displayName": "Cisco WSA - Multiple attempts to download unwanted file",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml",
        "query": "let threshold = 2;\nCiscoWSAEvent\n| where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'\n| summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)\n| where array_length(i_src) >= threshold\n| extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1189"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}