Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco WSA - Multiple attempts to download unwanted file

Back
Id46b6c6fc-2c1a-4270-be10-9d444d83f027
RulenameCisco WSA - Multiple attempts to download unwanted file
DescriptionDetects when multiple attempts to download unwanted file occur.
SeverityMedium
TacticsInitialAccess
TechniquesT1189
Required data connectorsCiscoWSA
SyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
Version1.0.1
Arm template46b6c6fc-2c1a-4270-be10-9d444d83f027.json
Deploy To Azure
let threshold = 2;
CiscoWSAEvent
| where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
| summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
| where array_length(i_src) >= threshold
| extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal
kind: Scheduled
relevantTechniques:
- T1189
description: |
    'Detects when multiple attempts to download unwanted file occur.'
queryPeriod: 1h
queryFrequency: 1h
tactics:
- InitialAccess
name: Cisco WSA - Multiple attempts to download unwanted file
requiredDataConnectors:
- connectorId: CiscoWSA
  dataTypes:
  - CiscoWSAEvent
- connectorId: SyslogAma
  datatypes:
  - Syslog
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: UrlCustomEntity
triggerThreshold: 0
version: 1.0.1
id: 46b6c6fc-2c1a-4270-be10-9d444d83f027
query: |
  let threshold = 2;
  CiscoWSAEvent
  | where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
  | summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
  | where array_length(i_src) >= threshold
  | extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal  
status: Available
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/46b6c6fc-2c1a-4270-be10-9d444d83f027')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/46b6c6fc-2c1a-4270-be10-9d444d83f027')]",
      "properties": {
        "alertRuleTemplateName": "46b6c6fc-2c1a-4270-be10-9d444d83f027",
        "customDetails": null,
        "description": "'Detects when multiple attempts to download unwanted file occur.'\n",
        "displayName": "Cisco WSA - Multiple attempts to download unwanted file",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml",
        "query": "let threshold = 2;\nCiscoWSAEvent\n| where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'\n| summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)\n| where array_length(i_src) >= threshold\n| extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1189"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}