Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco WSA - Multiple attempts to download unwanted file

Back
Id46b6c6fc-2c1a-4270-be10-9d444d83f027
RulenameCisco WSA - Multiple attempts to download unwanted file
DescriptionDetects when multiple attempts to download unwanted file occur.
SeverityMedium
TacticsInitialAccess
TechniquesT1189
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
Version1.0.2
Arm template46b6c6fc-2c1a-4270-be10-9d444d83f027.json
Deploy To Azure
let threshold = 2;
CiscoWSAEvent
| where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
| summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
| where array_length(i_src) >= threshold
| extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal
id: 46b6c6fc-2c1a-4270-be10-9d444d83f027
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
triggerThreshold: 0
queryPeriod: 1h
query: |
  let threshold = 2;
  CiscoWSAEvent
  | where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'
  | summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)
  | where array_length(i_src) >= threshold
  | extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal  
name: Cisco WSA - Multiple attempts to download unwanted file
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
description: |
    'Detects when multiple attempts to download unwanted file occur.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml
tactics:
- InitialAccess
triggerOperator: gt
relevantTechniques:
- T1189
version: 1.0.2
kind: Scheduled
status: Available
severity: Medium
queryFrequency: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/46b6c6fc-2c1a-4270-be10-9d444d83f027')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/46b6c6fc-2c1a-4270-be10-9d444d83f027')]",
      "properties": {
        "alertRuleTemplateName": "46b6c6fc-2c1a-4270-be10-9d444d83f027",
        "customDetails": null,
        "description": "'Detects when multiple attempts to download unwanted file occur.'\n",
        "displayName": "Cisco WSA - Multiple attempts to download unwanted file",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml",
        "query": "let threshold = 2;\nCiscoWSAEvent\n| where DvcAction =~ 'BLOCK_ADMIN_FILE_TYPE'\n| summarize i_src = makeset(SrcIpAddr) by UrlOriginal, bin(TimeGenerated, 15m)\n| where array_length(i_src) >= threshold\n| extend IPCustomEntity = i_src, UrlCustomEntity = UrlOriginal\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1189"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}